Skip to main content

JeecgBoot CVE-2026-9373

| EUVDEUVD-2026-31587 MEDIUM
Improper Authentication (CWE-287)
2026-05-24 VulDB GHSA-fvq7-vj2h-wmm9
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 19:37 NVD
LOW MEDIUM
CVSS changed
May 26, 2026 - 19:37 NVD
3.7 (LOW) 6.3 (MEDIUM)
Analysis Generated
May 24, 2026 - 10:45 vuln.today

DescriptionCVE.org

A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and perform unauthorized actions, though exploitation is rated difficult due to high attack complexity. No public exploit code has been identified and no vendor response has been received. With CVSS 3.7 (Low severity) and AV:N/AC:H/PR:N parameters, the vulnerability poses limited immediate risk but requires monitoring given the authentication bypass nature and remote attack vector.

Technical ContextAI

JeecgBoot is a Java-based low-code development platform built on Spring Boot. The vulnerability resides in the OpenAPI endpoint handler at /openapi/call/, which implements programmatic API access for external integrations. CWE-287 (Improper Authentication) indicates the endpoint fails to correctly verify caller identity or credentials, potentially allowing requests to bypass authentication gates. The OpenAPI component typically handles RESTful API requests and may rely on token validation, signature verification, or session management that contains implementation flaws. Given the AC:H (high complexity) rating, successful exploitation likely requires specific preconditions such as knowledge of API structure, timing dependencies, or particular request crafting beyond simple unauthenticated access.

RemediationAI

No vendor-released patch identified at time of analysis - the vendor was contacted early but provided no response per the CVE description. Organizations running JeecgBoot 3.9.1 should implement compensating controls until an official fix is available. Primary mitigation: Restrict network access to the /openapi/call/ endpoint using web application firewall rules, API gateway authentication enforcement, or network segmentation to limit exposure to trusted IP ranges only - this reduces attack surface but may impact legitimate external integrations requiring API access. Secondary mitigation: Enable comprehensive logging and monitoring for the OpenAPI endpoint to detect anomalous authentication attempts or unusual API call patterns that may indicate exploitation attempts - this provides detection capability but does not prevent exploitation. Tertiary option: Disable the OpenAPI endpoint entirely if business operations permit, though this eliminates programmatic API integration capabilities. Monitor JeecgBoot project channels (likely GitHub at jeecgboot/jeecg-boot) for security advisories or version releases addressing CVE-2026-9373. Validate any applied mitigations do not break required API functionality before production deployment. Reference: https://vuldb.com/vuln/365337 for additional community intelligence.

Share

CVE-2026-9373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy