Skip to main content

JeecgBoot CVE-2026-9580

| EUVDEUVD-2026-31986 MEDIUM
Improper Access Control (CWE-284)
2026-05-26 VulDB GHSA-v77q-xxpr-rx9g
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 21:22 NVD
HIGH MEDIUM
CVSS changed
May 26, 2026 - 21:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Source Code Evidence Fetched
May 26, 2026 - 21:03 vuln.today
Analysis Generated
May 26, 2026 - 21:03 vuln.today

DescriptionCVE.org

A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.

AnalysisAI

Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.

Technical ContextAI

JeecgBoot is an open-source low-code development platform built on Spring Boot and Vue, widely used in Chinese enterprise environments for rapid CRUD/BPM/reporting application delivery. The affected component is the LoginController.selectDepart handler, which governs the department (depart) selection step a user performs at login when associated with multiple organizational units; this routine should enforce that the requested depart belongs to the calling user. The root cause maps to CWE-284 (Improper Access Control), indicating that authorization logic around department selection is missing or insufficient, letting callers reference departments outside their permitted scope. The CPE record cpe:2.3:a:n/a:jeecgboot:*:*:*:*:*:*:*:* covers all JeecgBoot versions and reflects the open-ended product matching used by NVD for community projects.

RemediationAI

Vendor-released patch: upgrade to JeecgBoot v3.9.2 or later, available at https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2, which is explicitly cited by the CVE as sufficient to remediate the issue and which also bundles fixes for several other high-severity flaws (SSRF #9579, path traversal #9519, cross-tenant write #9462, token privilege escalation #9518, RCE #9335). If immediate upgrade is not feasible, restrict network reachability to the /sys/selectDepart endpoint via reverse-proxy or WAF rules limiting access to trusted corporate IP ranges, and monitor authentication and depart-switch events for anomalous account/department pairings - note this will not stop an attacker who has already obtained valid credentials inside the trust boundary. Review and tighten role/department mappings so that even if authorization is bypassed, accounts have minimum necessary scope; this reduces blast radius but does not close the flaw. Track the upstream issue at https://github.com/jeecgboot/JeecgBoot/issues/9597 for any further guidance from the maintainers.

Share

CVE-2026-9580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy