jeecg-boot API Documentation improper authentication

JeecgBoot 3.5.0, an open-source low-code platform, contains a critical authentication bypass vulnerability in its API documentation component. The root cause is improper authentication handling when accessing the API documentation functionality, allowing unauthorized requests to reach protected endpoints. This issue affects the specific version 3.5.0 [1][2].

Attackers can exploit this vulnerability remotely without any prior authentication or special privileges. By sending crafted requests to the API documentation endpoint, an unauthenticated remote attacker can bypass access controls and retrieve sensitive information from the API docs. The exploit technique has been publicly disclosed, increasing the risk of active exploitation [2].

The impact of successful exploitation includes unauthorized access to API documentation, which may reveal internal API endpoints, request/response schemas, and other implementation details. This information disclosure can serve as a stepping stone for further attacks, such as identifying vulnerable API routes or crafting more targeted exploits. Critical severity assigned to this vulnerability reflects the ease of exploitation and potential for information leakage [1][2].

JeecgBoot has not released a specific patch version for this CVE in the referenced advisory, though the platform currently ships version 3.9.2 (as of April 2026). Users running version 3.5.0 should upgrade to the latest release or implement access controls on the API documentation component until a fix is available. Organizations should assess their exposure given the public exploit availability [1].