CVE-2026-9604

Vulnerability

In JeecgBoot up to version 3.9.1, the AiragModelController exposes the list and queryById endpoints without the @RequiresPermissions annotation, meaning they are accessible to any authenticated user. The returned AiragModel entity includes a credential field that stores the full API key (e.g., {"apiKey":"sk-xxxx..."}) for AI providers such as OpenAI, DeepSeek, and 智谱. This field lacks @JsonIgnore or any serialization protection, so it is included verbatim in the HTTP response. The same pattern also affects AiragAppController, AiragKnowledgeController, and AiragMcpController to a lesser degree, but the model controller is the most severe because it directly exposes usable credentials [1][3].

Exploitation

An attacker who has obtained any level of authenticated access to a JeecgBoot instance (no special privileges required) can call GET /airag/model/list to retrieve the entire list of AiragModel objects, including their credential fields, or GET /airag/model/queryById?id= to fetch a specific record. No additional user interaction or write access is needed. The exploit is publicly documented with example source code showing the missing permission checks and the unguarded credential field [3][4].

Impact

Successful exploitation results in the disclosure of stored API keys for third-party AI services. An attacker can use these keys to invoke the corresponding AI provider APIs (e.g., OpenAI, DeepSeek) at the victim’s expense, potentially incurring financial cost, exceeding rate limits, or accessing data that flows through those services. The CIA impact is primarily a confidentiality breach of credential material, which can lead to further resource abuse [3][4].

Mitigation

The vendor released version 3.9.2 on 2026-04-30, which resolves the issue by applying proper access controls to the affected endpoints. Users should upgrade to 2.6.2 (the latest release) immediately. No workaround is described for versions earlier than 3.9.1; upgrading is the only recommended action [2][3][4].