Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. A fix is planned for the upcoming release.
AnalysisAI
Server-side request forgery in JeecgBoot up to 3.9.2 allows low-privileged remote attackers to make the application server issue arbitrary outbound HTTP requests via the unvalidated baseUrl parameter in the /airag/airagModel/test endpoint. Publicly available exploit code exists (E:P in CVSS 4.0 vector), though no active exploitation has been confirmed by CISA KEV. Impact is rated low across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), but SSRF primitives in low-code platforms can enable internal network reconnaissance and lateral movement against services inaccessible from the internet. No vendor-released patch has been issued at time of analysis - a fix is planned for an upcoming release.
Technical ContextAI
JeecgBoot is a Java-based open-source low-code development platform. The vulnerable endpoint /airag/airagModel/test belongs to an AI Retrieval-Augmented Generation (RAG) module, which by design performs outbound HTTP calls to AI model backends. The baseUrl argument that specifies the target URL is insufficiently validated before being used to construct and dispatch server-side HTTP requests, matching CWE-918 (Server-Side Request Forgery). This class of vulnerability arises when application code fetches user-supplied URLs without restricting destination hosts, schemes, or IP ranges. Because AI feature endpoints commonly communicate with configurable backend services, SSRF is a structurally expected risk in this code path if input is not allowlisted. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the endpoint is network-accessible, requires no attack complexity or additional preconditions, and demands only low privileges - consistent with authenticated but non-administrative API access.
RemediationAI
No vendor-released patch has been identified at time of analysis; a fix is described as planned for an upcoming JeecgBoot release. Organizations should monitor the JeecgBoot GitHub repository (https://github.com/jeecgboot/JeecgBoot) and issue #9609 for patch availability. Until a patch is released, the primary compensating control is to restrict or disable access to the /airag/airagModel/test endpoint via reverse proxy or WAF rules - note this may disrupt AI RAG testing functionality for developers. A secondary control is to enforce egress filtering on the JeecgBoot application server to block outbound HTTP/HTTPS to RFC-1918 private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata IP ranges (169.254.169.254), which limits the internal reconnaissance value of any SSRF. Additionally, enforce the principle of least privilege on JeecgBoot accounts to limit who can reach the /airag/ endpoint family. These controls reduce blast radius but do not eliminate the vulnerability.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33603
GHSA-q4c7-vxgr-r6m2