JeecgBoot versions up to and including 3.9.2 contain a broken access control flaw that permits authenticated low‑privilege users to create, read, update, and delete OpenAPI credential pairs through the OpenApiAuthController and OpenApiPermissionController endpoints. The list endpoint returns secret keys in plaintext, enabling credential theft and the possibility of unauthorized invocation of the application’s OpenAPI surface. This flaw is a direct result of missing Shiro authorization annotations and represents a significant compromise of confidentiality and integrity for all Acers/Secret keys exposed by the system.

The vulnerability affects JeecgBoot products, specifically all releases through version 3.9.2. Any deployment of this software that includes the OpenAPI credential management controllers is susceptible until a fix is applied.

The CVSS score of 8.6 indicates high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting no confirmed public exploitation yet. However, exploitation requires only an authenticated user with low privileges, a condition likely met in many organizations. Attackers can exploit the weaknesses to enumerate, create, modify, or delete credential records, potentially compromising downstream services that rely on those credentials. The lack of enforcement means the attack vector is local within the application once credentials are obtained, but the immediate impact of credential disclosure is across all systems that use those keys.