CVE-2026-58377

HIGH 8.1

JeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Exposes Access/Secret Keys

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro authorization annotations. Attackers can exploit the unenforced access controls to list, add, edit, and delete all AK/SK credential pairs, with the list endpoint returning secret keys in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface.

CWE	CWE-862
Vendor	jeecgboot
Product	jeecgboot
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for jeecgboot jeecgboot

Be the first to know when new high vulnerabilities affecting jeecgboot jeecgboot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

jeecgboot / JeecgBoot

0 ≤ 3.9.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jeecgboot/JeecgBoot/issues/9705 vulncheck.com: https://www.vulncheck.com/advisories/jeecgboot-missing-authorization-on-openapi-credential-management-endpoints-exposes-access-secret-keys

Credits

George Chen