Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.
AnalysisAI
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the userIdentity argument in the SysUser component's user.getUsername function at the /sys/user/login/setting/userEdit endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.
Technical ContextAI
JeecgBoot is a Java-based open-source low-code platform. The vulnerability is rooted in CWE-284 (Improper Access Control), meaning the server-side logic handling the /sys/user/login/setting/userEdit API endpoint fails to enforce proper authorization when the userIdentity parameter is supplied by a caller. The user.getUsername function in the SysUser component accepts this parameter without adequately verifying whether the authenticated caller has rights to act on behalf of or access the identity being specified. This class of flaw commonly arises when applications trust client-supplied identity references without server-side cross-checking against session ownership or role bindings. The affected CPE is cpe:2.3:a:n/a:jeecgboot:*:*:*:*:*:*:*:* covering all releases through 3.9.1. The CVSS temporal vector includes E:P (proof-of-concept exploit exists) and RL:O (official fix released), both of which are corroborated by the GitHub evidence.
RemediationAI
Upgrade to JeecgBoot v3.9.2 immediately; this is the vendor-released patch confirmed by the official GitHub release at https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2. The v3.9.2 release also patches multiple other high-severity issues (RCE, SSRF, path traversal, cross-tenant write), making this upgrade broadly critical beyond the scope of this single CVE. If an immediate upgrade is not possible, restrict network access to the /sys/user/login/setting/userEdit endpoint via firewall rules or reverse-proxy ACLs, limiting it to only trusted IP ranges or administrative networks - this reduces the AV:N attack surface but does not eliminate insider risk from already-authenticated users. Additionally, audit existing user accounts for unauthorized privilege escalation that may have already occurred via this vector. Note that endpoint restriction is a temporary control only; it does not fix the underlying access control flaw and must be replaced by the vendor patch.
Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController
SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictIn
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByC
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/sel
Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privile
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31973
GHSA-q7x2-2w32-gxv3