Skip to main content

JeecgBoot CVE-2026-10241

| EUVDEUVD-2026-33605 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-01 cna@vuldb.com GHSA-3m2m-6phq-rxrq
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 01, 2026 - 09:34 vuln.today
Analysis Generated
Jun 01, 2026 - 09:34 vuln.today

DescriptionCVE.org

A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.

AnalysisAI

Server-side request forgery in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the FileDownloadUtils.download2DiskFromNet function via the /airag/app/debug endpoint, coercing the server into issuing arbitrary HTTP requests - including to cloud instance metadata services that may expose cloud credentials. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation is confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects constrained scope and the low-privilege authentication requirement, but defenders on cloud infrastructure using IMDSv1 should treat the real-world impact as potentially higher than the score suggests.

Technical ContextAI

JeecgBoot is a Java-based low-code rapid development platform with AI-assisted application building capabilities. The vulnerability resides specifically in the AI RAG (Retrieval-Augmented Generation) application's debug interface at the /airag/app/debug endpoint. The FileDownloadUtils.download2DiskFromNet function accepts user-supplied URLs and fetches their content to disk without adequate server-side validation - a textbook CWE-918 (Server-Side Request Forgery) root cause. The CVE description explicitly names the 'Cloud Instance Metadata Endpoint' as an affected component, indicating the server can be directed to fetch cloud provider metadata services such as AWS IMDSv1 (169.254.169.254), potentially leaking IAM role credentials or internal topology. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the attack is network-reachable with low complexity and requires only a low-privilege authenticated session. No CPE strings were provided in the source data.

RemediationAI

Upgrade JeecgBoot to version 3.9.2, which is the vendor-confirmed patch for this vulnerability per the official GitHub release at https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2. The release notes confirm this SSRF fix was included alongside multiple other high-severity security patches. If immediate upgrade is not possible, restrict or disable access to the /airag/app/debug endpoint at the network perimeter or web application firewall layer - this is a debug interface that should not be exposed in production environments, and disabling it removes the attack surface with minimal functional impact on end users. As an independent cloud-layer control, enable IMDSv2 (session-oriented metadata access) on AWS EC2 instances or equivalent session-protected metadata access on other cloud providers (GCP, Azure); this prevents credential theft via basic SSRF because IMDSv2 requires an additional PUT-based token exchange that cannot be replicated by a simple server-fetched URL. Note that IMDSv2 hardening mitigates the cloud credential exposure risk but does not remediate the underlying SSRF vulnerability itself.

Share

CVE-2026-10241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy