Skip to main content

JeecgBoot CVE-2026-58377

| EUVDEUVD-2026-40364 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-6w4x-5vf2-7756
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable endpoints with low complexity and only a low-privilege account (PR:L); plaintext secret disclosure gives C:H and credential CRUD gives I:H, with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 30, 2026 - 17:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:19 vuln.today

DescriptionCVE.org

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro authorization annotations. Attackers can exploit the unenforced access controls to list, add, edit, and delete all AK/SK credential pairs, with the list endpoint returning secret keys in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface.

AnalysisAI

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege JeecgBoot account
Delivery
Authenticate and reach OpenApi controllers
Exploit
Call unauthorized credential list endpoint
Execution
Harvest plaintext AK/SK secret keys
Impact
Invoke OpenAPI or alter/delete credentials

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated low-privilege JeecgBoot session (CVSS PR:L) - the OpenApiAuthController and OpenApiPermissionController endpoints are network-reachable and need no user interaction, but they are not anonymously exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 8.6 and is internally consistent with the description: network-reachable, low complexity, only low privileges required, no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains any ordinary low-privilege JeecgBoot account, authenticates, and sends a request to the unprotected OpenApiAuthController list endpoint, which returns every AK/SK pair with secret keys in plaintext. Using AV:N/AC:L and the public POC, the attacker harvests valid credentials and then either invokes the OpenAPI surface as a trusted client or uses the edit/delete endpoints to tamper with or remove credential pairs.
Remediation No vendor-released patch version was identified at time of analysis - the only references are the JeecgBoot GitHub issue (https://github.com/jeecgboot/JeecgBoot/issues/9705) and the VulnCheck advisory (https://www.vulncheck.com/advisories/jeecgboot-missing-authorization-on-openapi-credential-management-endpoints-exposes-access-secret-keys); monitor both for a fixed release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all JeecgBoot deployments at version 3.9.2 and earlier; audit access logs to OpenApiAuthController and OpenApiPermissionController for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy