CVE-2026-11502
Description
A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."
Affected products
2Patches
17df07a823fd5修复——flyway执行sql脚本失败 #9622
1 file changed · +96 −24
jeecg-boot/db/jeecgboot-mysql-5.7.sql+96 −24 modified
Vulnerability mechanics
Root cause
"The 'state' parameter is not validated before being used in a redirect URL."
Attack vector
An attacker can craft a malicious link that includes a user-controlled 'state' parameter pointing to an attacker-controlled domain. When a victim clicks this link, the application redirects them to the OAuth provider, and upon successful authentication, the application redirects the victim back to the attacker-controlled domain with a JWT token appended. This can lead to token leakage and account takeover [ref_id=1]. The attack requires the victim to actively click a crafted link, making it difficult to exploit [ref_id=1].
Affected code
The vulnerability exists in the `ThirdLoginController.java` file within the `jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/` directory. Specifically, the `oauth2LoginCallback` methods for both the login and callback endpoints are affected, as they directly use the user-controlled 'state' parameter in `HttpServletResponse.sendRedirect()` without validation [ref_id=1].
What the fix does
The advisory does not specify a patch or remediation steps. However, it notes that the vulnerability requires social engineering to trick victims into clicking a malicious link and that third-party login is an optional feature. Therefore, disabling third-party login or ensuring proper validation of the 'state' parameter before redirection would mitigate the vulnerability.
Preconditions
- configThird-party login (e.g., DingTalk, WeChat) must be enabled.
- inputThe attacker must provide a crafted URL with a malicious 'state' parameter.
- inputThe victim must click on the crafted URL.
Reproduction
GET /jeecg-boot/sys/thirdLogin/oauth2/dingtalk/login?state=https://evil.com&tenantId=0 HTTP/1.1 Host: <target>:8084
The response will contain a redirect to the OAuth provider with the malicious state parameter. After the victim completes OAuth authentication, they will be redirected to the attacker-controlled domain with a JWT token.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.