CVE-2026-9580

Vulnerability

A vulnerability exists in JeecgBoot up to version 3.9.1 in the LoginController.selectDepart endpoint mapped to PUT /sys/selectDepart. The endpoint lacks any authorization annotations (@RequiresPermissions or @RequiresRoles) and accepts orgCode and loginTenantId directly from the request body without verifying that the values belong to the authenticated user's assigned departments or tenants. The service method SysUserServiceImpl.updateUserDepart() then persists these unvalidated values to the sys_user table [3] [4]. The flaw is designated CVE-2026-9580 [1].

Exploitation

An attacker needs only a valid JWT (authentication) to exploit this vulnerability. By sending a PUT request to /sys/selectDepart with arbitrary orgCode and loginTenantId parameters, the attacker can switch their current session context to any department or tenant in the system. Combined with a separate userEdit privilege escalation issue, the attacker can further set userIdentity=2 and departIds to gain full access to a target department's member data [3] [4]. The exploit has been publicly disclosed and may be actively used [1] [3].

Impact

Successful exploitation allows an authenticated attacker to escalate privileges by injecting unauthorized organizational context. This can lead to unauthorized access to department-specific data and tenant resources, potentially compromising the confidentiality and integrity of sensitive information across the JeecgBoot application [3] [4].

Mitigation

The vulnerability is fixed in JeecgBoot version 3.9.2, released on 2026-04-30 [1] [2]. It is recommended to upgrade the affected component to 3.9.2 or later. No workarounds have been publicly documented for older versions [1] [3].