CVE-2026-11458
Description
JEEWMS versions up to 141740afb2ba14d441c82a833d0a418d07ca2d69 expose sensitive Spring Boot Actuator endpoints without authentication, leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JEEWMS versions up to 141740afb2ba14d441c82a833d0a418d07ca2d69 expose sensitive Spring Boot Actuator endpoints without authentication, leading to information disclosure.
Vulnerability
A weakness exists in erzhongxmu JeeWMS up to commit 141740afb2ba14d441c82a833d0a418d07ca2d69 where the Spring Boot Actuator endpoints, specifically /base-boot/actuator/env and /base-boot/actuator/heapdump, are accessible without authentication due to Shiro configuration allowing anonymous access. This affects the Boot Actuator Endpoint component.
Exploitation
An unauthenticated attacker can remotely access the /base-boot/actuator/env and /base-boot/actuator/heapdump endpoints. By sending a simple HTTP GET request to these endpoints, an attacker can retrieve sensitive environment variables, application configuration, and a full JVM heap dump. This verification has been confirmed in local testing without requiring any authentication [1].
Impact
Successful exploitation allows unauthenticated attackers to obtain highly sensitive runtime and configuration data. The /env endpoint may reveal deployment secrets and internal structures, while the /heapdump endpoint can expose in-memory objects such as usernames, passwords, JWTs, session tokens, database credentials, API keys, and other sensitive business data, potentially leading to credential leakage and full system compromise [1].
Mitigation
This product implements a rolling release, making specific version information unavailable. The vendor was contacted but did not respond. No patched version or workaround is currently disclosed in the available references. The product is listed as EOL by the vendor [1].
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <141740afb2ba14d441c82a833d0a418d07ca2d69
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Spring Boot Actuator endpoints are exposed without authentication due to Shiro configuration."
Attack vector
An unauthenticated attacker can remotely access sensitive Spring Boot Actuator endpoints, specifically `/base-boot/actuator/env` and `/base-boot/actuator/heapdump` [ref_id=1]. By sending a simple GET request to these endpoints, an attacker can retrieve environment information or a full JVM heap dump [ref_id=1]. This information disclosure can lead to credential leakage and potential system compromise.
Affected code
The vulnerability lies within the Spring Boot Actuator endpoints, specifically those under `/base-boot/actuator/**`. The Shiro configuration explicitly allows anonymous access to these management endpoints, making them externally reachable without authentication [ref_id=1]. The sensitive endpoints identified are `/base-boot/actuator/env` and `/base-boot/actuator/heapdump` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. It notes that the vendor did not respond to the disclosure. Therefore, remediation guidance is unavailable.
Preconditions
- authNo authentication is required to exploit this vulnerability.
- networkThe attack can be executed remotely.
Reproduction
GET /base-boot/actuator/env HTTP/1.1 Host: <target>
GET /base-boot/actuator/heapdump HTTP/1.1 Host: <target>
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.