Description
A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release.
Published: 2026-04-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass (Unauthorized Access)
Action: Immediate Patch
AI Analysis

Impact

JeecgBoot 3.9.0 and 3.9.1 contain a function in JeecgBizToolsProvider.java that lacks proper authentication checks, allowing a remote request to execute the AI Chat module without identity verification. This flaw permits an attacker to invoke the module’s exposed functionality unimpeded, potentially accessing or manipulating data and leveraging the AI service for malicious purposes. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).

Affected Systems

The issue affects the JeecgBoot framework, specifically the AI Chat component under org.jeecg.modules.airag. Versions 3.9.0 and 3.9.1 are vulnerable. Deployments that have not yet incorporated the corrective commit are at risk.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents moderate severity. Although EPSS is not available, the remote nature of the attack vector suggests a plausible exploitation scenario. The vulnerability is not listed in the CISA KEV catalog, but without authentication controls, malicious actors could exploit the exposed API from anywhere on the network or the Internet if network exposure exists. Prompt remediation is advised to mitigate the risk of unauthorized data access or manipulation.

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch that includes the commit b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39 (or upgrade to a version containing the fix).
  • Verify that the AI Chat module now enforces authentication before allowing any requests.

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Mon, 06 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release.
Title JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Jeecg Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T03:00:24.200Z

Reserved: 2026-04-05T15:40:39.007Z

Link: CVE-2026-5616

cve-icon Vulnrichment

Updated: 2026-04-07T03:00:20.422Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T04:16:13.407

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:30Z

Weaknesses