Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoints with low complexity and only a low-privilege account (PR:L); plaintext secret disclosure gives C:H and credential CRUD gives I:H, with no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro authorization annotations. Attackers can exploit the unenforced access controls to list, add, edit, and delete all AK/SK credential pairs, with the list endpoint returning secret keys in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface.
AnalysisAI
Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated low-privilege JeecgBoot session (CVSS PR:L) - the OpenApiAuthController and OpenApiPermissionController endpoints are network-reachable and need no user interaction, but they are not anonymously exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 8.6 and is internally consistent with the description: network-reachable, low complexity, only low privileges required, no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains any ordinary low-privilege JeecgBoot account, authenticates, and sends a request to the unprotected OpenApiAuthController list endpoint, which returns every AK/SK pair with secret keys in plaintext. Using AV:N/AC:L and the public POC, the attacker harvests valid credentials and then either invokes the OpenAPI surface as a trusted client or uses the edit/delete endpoints to tamper with or remove credential pairs. |
| Remediation | No vendor-released patch version was identified at time of analysis - the only references are the JeecgBoot GitHub issue (https://github.com/jeecgboot/JeecgBoot/issues/9705) and the VulnCheck advisory (https://www.vulncheck.com/advisories/jeecgboot-missing-authorization-on-openapi-credential-management-endpoints-exposes-access-secret-keys); monitor both for a fixed release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all JeecgBoot deployments at version 3.9.2 and earlier; audit access logs to OpenApiAuthController and OpenApiPermissionController for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictIn
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByC
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/sel
Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privile
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40364
GHSA-6w4x-5vf2-7756