JeecgBoot: Four Access-Control Flaws Disclosed Together, Patched in 3.9.2
Four improper-access-control vulnerabilities in JeecgBoot were disclosed on May 26, 2026, affecting versions up to 3.9.1, with public exploits available and a fix released in version 3.9.2.
Key findings
- Four improper-access-control CVEs disclosed together on May 26, 2026
- All affect JeecgBoot versions up to 3.9.1; fixed in 3.9.2
- CVE-2026-9580 is the most severe (CVSSv3 7.3, High), in LoginController.selectDepart
- Public exploit code is available for all four vulnerabilities
- CVE-2026-9604 targets the AiragModelController, exposing AI model metadata
- No mitigations beyond upgrading to 3.9.2 have been published
Four improper-access-control vulnerabilities were disclosed together on May 26, 2026, in JeecgBoot, the popular Java low-code development platform from Jeecg. All four CVEs affect versions up to 3.9.1 and were addressed in the 3.9.2 release. The batch spans Medium to High severity (CVSSv3 scores from 4.3 to 7.3), and public exploit code is already available for every one of them — a fact that should push administrators to prioritize patching.
The most severe of the batch is CVE-2026-9580 (CVSSv3 7.3, High), which resides in the LoginController.selectDepart function at the endpoint /sys/selectDepart. This flaw allows an unauthenticated or low-privilege remote attacker to bypass authorization checks and access department-selection logic that should be restricted. Given that JeecgBoot is used to build internal business applications — often handling sensitive organizational data — a bypass in the login/select-depart flow could let an attacker enumerate department structures or escalate privileges.
Two Medium-severity CVEs (both scored 6.3) target different endpoints. CVE-2026-9581 is found in the comment submission handler at /sys/comment/add. The function fails to enforce proper access controls, meaning any remote user — authenticated or not — could potentially submit or manipulate comments in ways the application did not intend. CVE-2026-9579 affects the user profile editing endpoint at /sys/user/login/setting/userEdit, specifically in the SysUser component's user.getUsername function. The userIdentity argument is not properly validated for authorization, which could allow a user to modify identity attributes belonging to other accounts.
The lowest-scored CVE in the batch, CVE-2026-9604 (CVSSv3 4.3), targets the AiragModelController component. The list and queryById operations lack proper access controls, potentially exposing AI-rag model configurations to unauthorized viewers. While the severity is Medium, the presence of a public exploit and the sensitivity of AI model metadata make this a non-trivial finding for organizations using JeecgBoot's AI-rag features.
All four CVEs share a common root cause: improper access controls — the application fails to verify that the requesting user has the necessary permissions before executing the operation. This is a class of vulnerability that is particularly dangerous in low-code platforms, where developers often rely on the framework's built-in authorization rather than implementing custom checks. The fact that all four were fixed in a single version bump (3.9.2) suggests the vendor addressed the issues holistically.
The Jeecg team has released version 3.9.2, which resolves all four CVEs. Users still running 3.9.1 or earlier should upgrade immediately. No workarounds or mitigations beyond the patch have been published. Given that exploit code is publicly available for every CVE in this batch, the window for safe operation on unpatched instances is effectively closed.
For organizations running JeecgBoot in production — particularly those using the department-selection, comment, user-profile, or AI-rag modules — this batch represents a clear and present risk. The pattern of multiple access-control bugs disclosed simultaneously suggests a broader audit may be warranted. Administrators should verify their deployment version and apply the 3.9.2 update without delay.