CVE-2026-9581

Vulnerability

JeecgBoot versions up to 3.9.1 contain improper access controls in the /sys/comment/add, /sys/comment/edit, and /sys/checkRule/add endpoints. The controller methods SysCommentController.add, SysCommentController.edit, and SysCheckRuleController.add lack the @RequiresPermissions annotation, allowing any authenticated user to invoke them. Furthermore, the server does not enforce that user identity fields (fromUserId, toUserId, createBy) are set to the current logged-in user, resulting in a mass assignment vulnerability [1][3].

Exploitation

An attacker with a valid authenticated session can send crafted POST requests to the vulnerable endpoints. For /sys/comment/add, the attacker can set arbitrary fromUserId and toUserId in the request body to impersonate any user when posting a comment. Similarly, /sys/comment/edit allows modifying the fromUserId of an existing comment, and /sys/checkRule/add permits setting createBy to any user. No additional privileges or user interaction is required beyond authentication. The exploit details are publicly available [3].

Impact

Successful exploitation enables an attacker to forge the identity of comment authors and rule creators within the JeecgBoot application. This can lead to reputational damage, social engineering attacks, or confusion in audit trails. The impact is confined to the comment and check rule functionality; no full account takeover or data exfiltration is reported [3].

Mitigation

The issue is resolved in JeecgBoot version 3.9.2, released on 2026-04-30 [2]. Users should upgrade to this version or later. No workarounds are documented. The vendor recommends upgrading the affected component [1].