Which versions of JeecgBoot are affected by EUVD-2026-31986?

JeecgBoot versions through 3.9.1 contain an authorization bypass vulnerability in the login endpoint that allows remote attackers to access unauthorized department or tenant accounts, with publicly…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-31986?

Yes, a public proof-of-concept exploit is available for EUVD-2026-31986. Prioritise patching immediately. EPSS: 0.0%.

JeecgBoot EUVD-2026-31986

Q: What is the CVSS score of EUVD-2026-31986?

EUVD-2026-31986 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-9580 MEDIUM

Improper Access Control (CWE-284)

2026-05-26 VulDB

GHSA-v77q-xxpr-rx9g

Authentication Bypass

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 26, 2026 - 21:22 NVD

HIGH MEDIUM

CVSS changed

May 26, 2026 - 21:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Source Code Evidence Fetched

May 26, 2026 - 21:03 vuln.today

Analysis Generated

May 26, 2026 - 21:03 vuln.today

DescriptionNVD

A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.

AnalysisAI

Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. …

RemediationAI

Within 24 hours: Identify all JeecgBoot instances and document current versions; assess whether multi-tenant or department-based access controls are in place. Within 7 days: Apply JeecgBoot v3.9.2 or later to all systems and perform functional testing to validate post-patch stability. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31986 vulnerability details – vuln.today

Back

JeecgBoot EUVD-2026-31986

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

JeecgBoot EUVD-2026-31986

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code