Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and perform unauthorized actions, though exploitation is rated difficult due to high attack complexity. No public exploit code has been identified and no vendor response has been received. With CVSS 3.7 (Low severity) and AV:N/AC:H/PR:N parameters, the vulnerability poses limited immediate risk but requires monitoring given the authentication bypass nature and remote attack vector.
Technical ContextAI
JeecgBoot is a Java-based low-code development platform built on Spring Boot. The vulnerability resides in the OpenAPI endpoint handler at /openapi/call/, which implements programmatic API access for external integrations. CWE-287 (Improper Authentication) indicates the endpoint fails to correctly verify caller identity or credentials, potentially allowing requests to bypass authentication gates. The OpenAPI component typically handles RESTful API requests and may rely on token validation, signature verification, or session management that contains implementation flaws. Given the AC:H (high complexity) rating, successful exploitation likely requires specific preconditions such as knowledge of API structure, timing dependencies, or particular request crafting beyond simple unauthenticated access.
RemediationAI
No vendor-released patch identified at time of analysis - the vendor was contacted early but provided no response per the CVE description. Organizations running JeecgBoot 3.9.1 should implement compensating controls until an official fix is available. Primary mitigation: Restrict network access to the /openapi/call/ endpoint using web application firewall rules, API gateway authentication enforcement, or network segmentation to limit exposure to trusted IP ranges only - this reduces attack surface but may impact legitimate external integrations requiring API access. Secondary mitigation: Enable comprehensive logging and monitoring for the OpenAPI endpoint to detect anomalous authentication attempts or unusual API call patterns that may indicate exploitation attempts - this provides detection capability but does not prevent exploitation. Tertiary option: Disable the OpenAPI endpoint entirely if business operations permit, though this eliminates programmatic API integration capabilities. Monitor JeecgBoot project channels (likely GitHub at jeecgboot/jeecg-boot) for security advisories or version releases addressing CVE-2026-9373. Validate any applied mitigations do not break required API functionality before production deployment. Reference: https://vuldb.com/vuln/365337 for additional community intelligence.
Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController
SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictIn
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByC
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/sel
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privile
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31587
GHSA-fvq7-vj2h-wmm9