Description
A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

An improper authorization flaw exists in the SysAnnouncementController component of JeecgBoot. The vulnerability allows an attacker to bypass normal access controls and perform actions that should be restricted to authenticated or privileged users. This can enable viewing, creating, editing, or deleting system announcements without proper authorization. The flaw is exploitable remotely, and the exploit has already been disclosed publicly.

Affected Systems

JeecgBoot is affected. Versions up to and including 3.9.1 are vulnerable. All installations of JeecgBoot that provide the SysAnnouncementController function are at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. The analysis infers that the attack vector is remote, meaning an external attacker can trigger the flaw over the network. Since the exploit has been disclosed and may already be in use, systems remain at moderate risk until the vendor releases a fix.

Generated by OpenCVE AI on April 10, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s forthcoming patch or upgrade to a version newer than 3.9.1 when it becomes available.
  • If an immediate update is not possible, restrict network access to the SysAnnouncementController endpoint to trusted IP ranges or authenticated users only.
  • Monitor application logs for unauthorized access attempts to announcement endpoints and investigate any anomalies.
  • Verify that authentication and role‑based access controls are correctly configured to prevent similar authorization bypasses.

Generated by OpenCVE AI on April 10, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Fri, 10 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
Title JeecgBoot SysAnnouncementController improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T17:05:03.875Z

Reserved: 2026-04-09T13:03:06.047Z

Link: CVE-2026-5999

cve-icon Vulnrichment

Updated: 2026-04-10T17:04:58.803Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T03:16:04.053

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:04Z

Weaknesses