Description
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key
. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Authentication Bypass / Privileged Access
Action: Patch
AI Analysis

Impact

The vulnerability resides in Xuxueli XxL-Job's OpenAPI endpoint, where manipulation of the default_token parameter causes the application to use a hard‑coded cryptographic key. Based on the description, it is inferred that this may allow an attacker to bypass authentication and access privileged API routes that can trigger arbitrary job executions or other sensitive operations. The CVE description indicates that the exploit can be launched remotely and requires a high level of complexity, but it has been publicly disclosed.

Affected Systems

Affected releases are Xuxueli XxL-Job versions 3.3.2 and earlier, specifically the xxl-job-admin module that hosts the OpenAPI endpoint. All instances running any of these versions expose the vulnerability until a release that removes the hard‑coded key or implements proper token handling is deployed.

Risk and Exploitability

The CVSS score of 6.3 denotes medium severity; no EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is remote, needing only HTTP requests to the OpenAPI endpoint, and though the exploit is considered difficult due to high complexity, public disclosure implies a realistic threat. Therefore, administrators should evaluate the risk of unauthorized access to the job scheduler and mitigate accordingly.

Generated by OpenCVE AI on April 29, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 3.3.2 where the hard‑coded key is removed or corrected.
  • If an upgrade is not immediately possible, restrict network access to the OpenAPI endpoint so that only trusted hosts can reach it.
  • Replace or disable the default_token handling by implementing a secure, randomly generated token or enforcing proper authentication for the OpenAPI routes.

Generated by OpenCVE AI on April 29, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
Title Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key
First Time appeared Xuxueli
Xuxueli xxl-job
Weaknesses CWE-320
CWE-321
CPEs cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*
Vendors & Products Xuxueli
Xuxueli xxl-job
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xuxueli Xxl-job
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T19:30:13.749Z

Reserved: 2026-04-28T11:45:16.427Z

Link: CVE-2026-7306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:51.060

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses