Description
JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JimuReport through version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The handler is annotated @JimuNoLoginRequired, so the JimuReportTokenInterceptor skips both authentication and authorization, allowing any supplied report id to be streamed without verifying the configured auto‑export flag. An unauthenticated remote attacker can therefore export the full contents of any report, including data returned by the embedded SQL queries and any credentials stored in the report's data sources.

Affected Systems

The vulnerability affects JimuReport 2.5.0 released by jeecgboot. Only this product version and earlier releases that lack the authentication guard are impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. With no EPSS score available, the likelihood of exploitation cannot be quantified, but the vulnerability is known and listed in multiple advisories. The attack vector is remote, network based, via an unauthenticated HTTP POST request. Because the endpoint is publicly reachable, a threat actor can enumerate report identifiers and download sensitive data at will. The KEV status indicates it is not currently listed as a known exploited vulnerability, but the impact remains significant if the system is exposed to the internet.

Generated by OpenCVE AI on June 30, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of JimuReport that secures the /jmreport/auto/export endpoint or removes the @JimuNoLoginRequired annotation.
  • If an upgrade cannot be performed immediately, block external access to the /jmreport/auto/export URL at the network or application firewall to prevent unauthenticated requests.
  • Review existing reports for embedded credentials and consider removing them or restricting access to the underlying data sources.

Generated by OpenCVE AI on June 30, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.
Title JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export
First Time appeared Jeecg
Jeecg jimureport
Weaknesses CWE-306
CPEs cpe:2.3:a:jeecg:jimureport:*:*:*:*:*:*:*:*
Vendors & Products Jeecg
Jeecg jimureport
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Jeecg Jimureport
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T15:58:47.799Z

Reserved: 2026-06-30T12:43:19.294Z

Link: CVE-2026-58375

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function