Skip to main content

JeecgBoot EUVDEUVD-2026-26730

| CVE-2026-7602 LOW
Incorrect Privilege Assignment (CWE-266)
2026-05-02 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 04:30 vuln.today
EUVD ID Assigned
May 02, 2026 - 04:22 euvd
EUVD-2026-26730
Analysis Generated
May 02, 2026 - 04:22 vuln.today
CVE Published
May 02, 2026 - 04:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.

AnalysisAI

Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the ruleClass parameter in the /sys/fillRule/edit endpoint, leading to unauthorized access and information disclosure. The vulnerability affects the FillRuleUtil component and has publicly available exploit code; the vendor confirmed the issue and committed to patching in an upcoming release.

Technical ContextAI

JeecgBoot is a low-code development platform built on Java. The vulnerability resides in the FillRuleUtil component's edit functionality, specifically in how the /sys/fillRule/edit endpoint validates authorization for the ruleClass parameter. CWE-266 (Incorrect Privilege Assignment) indicates the root cause is improper privilege or authorization checks when processing user-supplied input to the ruleClass argument. The component fails to properly verify whether an authenticated user has permission to modify fill rules associated with arbitrary rule classes, allowing parameter manipulation to access data or configurations they should not be able to modify.

RemediationAI

Upgrade JeecgBoot to the patched version when released by the vendor; the upcoming release has been confirmed by the vendor but the exact version number is not yet available in public advisories. Until an official patch is available, implement network-level or application-level access controls to restrict access to the /sys/fillRule/edit endpoint to only users who require it, use Web Application Firewall (WAF) rules to inspect and block suspicious ruleClass parameter values that deviate from expected patterns, and audit FillRuleUtil component logs to detect unauthorized modification attempts. Monitor the JeecgBoot GitHub repository (https://github.com/jeecgboot/JeecgBoot/) and issue tracker (https://github.com/jeecgboot/JeecgBoot/issues/9552) for patch availability announcements. The trade-off of WAF-based mitigation is potential false positives if legitimate use cases employ unusual ruleClass values; coordinate remediation with application stakeholders before deploying blocking rules.

Share

EUVD-2026-26730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy