CVE-2026-58377
HIGHJeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Exposes Access/Secret Keys
Title source: cnaDescription
JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro authorization annotations. Attackers can exploit the unenforced access controls to list, add, edit, and delete all AK/SK credential pairs, with the list endpoint returning secret keys in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface.
References (2)
Core 2
Core References
Exploit technical-description
exploit
Researcher Disclosure
https://github.com/jeecgboot/JeecgBoot/issues/9705
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/jeecgboot-missing-authorization-on-openapi-credential-management-endpoints-exposes-access-secret-keys
Scores
CVSS v3
8.1
EPSS
0.0026
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (1)
jeecgboot/JeecgBoot
< 3.9.2
Published
Jun 30, 2026
Tracked Since
Jun 30, 2026