CVE-2026-9579
Description
A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JeecgBoot up to 3.9.1 has an improper access control in /sys/user/login/setting/userEdit allowing privilege escalation via userIdentity manipulation.
Vulnerability
A vulnerability exists in JeecgBoot versions up to 3.9.1 in the /sys/user/login/setting/userEdit endpoint. The function user.getUsername in SysUserController.java binds the entire SysUser entity from the request body and persists it via updateById() without server-side filtering of the userIdentity field [3]. The userIdentity field controls data visibility: 1 (or null) means ordinary member, while 2 designates department head with broader access [3]. The endpoint is protected by @RequiresPermissions("system:user:setting:edit"), but this permission is assigned to the default test role held by all registered users [3].
Exploitation
An authenticated attacker with any registered account sends a POST request to /sys/user/login/setting/userEdit with a JSON body containing userIdentity: 2 (and optionally departIds). The controller checks that the JWT username matches the target user's username, but then calls updateById(sysUser) using the attacker-supplied request object rather than the database-fetched entity [3]. This writes the injected userIdentity=2 into the database for the attacker's user [3]. The exploit can be performed remotely without special network position [1][3].
Impact
A successful attack allows an ordinary user to escalate their privileges to department head level, gaining the ability to view all members under managed departments (data visibility elevation) [3]. This violates the intended access control where userIdentity=2 should only be assigned through the internal "department head setting" process [3]. The impact is unauthorized information disclosure and privilege escalation within the system.
Mitigation
JeecgBoot version 3.9.2 (released 2026-04-30) addresses this issue [2]. The fixed version is expected to either persist the database-fetched user object instead of the request body, or implement a field whitelist that blocks userIdentity from client-side modification [3]. Upgrading to 3.9.2 is the recommended mitigation [1][2]. No workaround is documented in the available references; the vulnerability is not listed in CISA KEV as of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.9.1+ 1 more
- (no CPE)range: <=3.9.1
- (no CPE)range: <=3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.