Skip to main content

JeecgBoot CVE-2026-9579

| EUVDEUVD-2026-31973 LOW
Improper Access Control (CWE-284)
2026-05-26 VulDB GHSA-q7x2-2w32-gxv3
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 21:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 26, 2026 - 21:04 vuln.today
Analysis Generated
May 26, 2026 - 21:04 vuln.today

DescriptionCVE.org

A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.

AnalysisAI

Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the userIdentity argument in the SysUser component's user.getUsername function at the /sys/user/login/setting/userEdit endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.

Technical ContextAI

JeecgBoot is a Java-based open-source low-code platform. The vulnerability is rooted in CWE-284 (Improper Access Control), meaning the server-side logic handling the /sys/user/login/setting/userEdit API endpoint fails to enforce proper authorization when the userIdentity parameter is supplied by a caller. The user.getUsername function in the SysUser component accepts this parameter without adequately verifying whether the authenticated caller has rights to act on behalf of or access the identity being specified. This class of flaw commonly arises when applications trust client-supplied identity references without server-side cross-checking against session ownership or role bindings. The affected CPE is cpe:2.3:a:n/a:jeecgboot:*:*:*:*:*:*:*:* covering all releases through 3.9.1. The CVSS temporal vector includes E:P (proof-of-concept exploit exists) and RL:O (official fix released), both of which are corroborated by the GitHub evidence.

RemediationAI

Upgrade to JeecgBoot v3.9.2 immediately; this is the vendor-released patch confirmed by the official GitHub release at https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2. The v3.9.2 release also patches multiple other high-severity issues (RCE, SSRF, path traversal, cross-tenant write), making this upgrade broadly critical beyond the scope of this single CVE. If an immediate upgrade is not possible, restrict network access to the /sys/user/login/setting/userEdit endpoint via firewall rules or reverse-proxy ACLs, limiting it to only trusted IP ranges or administrative networks - this reduces the AV:N attack surface but does not eliminate insider risk from already-authenticated users. Additionally, audit existing user accounts for unauthorized privilege escalation that may have already occurred via this vector. Note that endpoint restriction is a temporary control only; it does not fix the underlying access control flaw and must be replaced by the vendor patch.

Share

CVE-2026-9579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy