CVE-2026-50529

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.
CVSS

No CVSS.

Configurations

No configuration.

History

08 Jul 2026, 14:17

Type Values Removed Values Added
References () https://github.com/dataease/dataease/security/advisories/GHSA-7287-qqj9-phr6 - () https://github.com/dataease/dataease/security/advisories/GHSA-7287-qqj9-phr6 -

07 Jul 2026, 21:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-07 21:17

Updated : 2026-07-08 15:07


NVD link : CVE-2026-50529

Mitre link : CVE-2026-50529

CVE.ORG link : CVE-2026-50529


JSON object : View

Products Affected

No product.

CWE
CWE-863

Incorrect Authorization