Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.
AnalysisAI
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.
Technical ContextAI
JeecgBoot is an open-source low-code development platform built on Spring Boot and Vue, widely used in Chinese enterprise environments for rapid CRUD/BPM/reporting application delivery. The affected component is the LoginController.selectDepart handler, which governs the department (depart) selection step a user performs at login when associated with multiple organizational units; this routine should enforce that the requested depart belongs to the calling user. The root cause maps to CWE-284 (Improper Access Control), indicating that authorization logic around department selection is missing or insufficient, letting callers reference departments outside their permitted scope. The CPE record cpe:2.3:a:n/a:jeecgboot:*:*:*:*:*:*:*:* covers all JeecgBoot versions and reflects the open-ended product matching used by NVD for community projects.
RemediationAI
Vendor-released patch: upgrade to JeecgBoot v3.9.2 or later, available at https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2, which is explicitly cited by the CVE as sufficient to remediate the issue and which also bundles fixes for several other high-severity flaws (SSRF #9579, path traversal #9519, cross-tenant write #9462, token privilege escalation #9518, RCE #9335). If immediate upgrade is not feasible, restrict network reachability to the /sys/selectDepart endpoint via reverse-proxy or WAF rules limiting access to trusted corporate IP ranges, and monitor authentication and depart-switch events for anomalous account/department pairings - note this will not stop an attacker who has already obtained valid credentials inside the trust boundary. Review and tighten role/department mappings so that even if authorization is bypassed, accounts have minimum necessary scope; this reduces blast radius but does not close the flaw. Track the upstream issue at https://github.com/jeecgboot/JeecgBoot/issues/9597 for any further guidance from the maintainers.
Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController
SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictIn
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByC
Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privile
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31986
GHSA-v77q-xxpr-rx9g