DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.
CVSS
No CVSS.
References
Configurations
No configuration.
History
08 Jul 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/dataease/dataease/security/advisories/GHSA-7287-qqj9-phr6 - |
07 Jul 2026, 21:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-07 21:17
Updated : 2026-07-08 15:07
NVD link : CVE-2026-50529
Mitre link : CVE-2026-50529
CVE.ORG link : CVE-2026-50529
JSON object : View
Products Affected
No product.
CWE
CWE-863
Incorrect Authorization
