Description
A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the JeecgBoot 3.9.1 mLogin Endpoint within LoginController.java, permitting an attacker to bypass normal authorization checks. This flaw allows unauthorized access to protected resources, potentially exposing sensitive data or enabling further privileged actions. The issue is an authorization weakness classified as CWE‑285 and an authorization logic failure, CWE‑639.

Affected Systems

JeecgBoot applications running version 3.9.1 are affected. The flaw is located in the module jeecg-module-system/jeecg-system-biz within the LoginController.

Risk and Exploitability

The score of 6.3 on the CVSS scale indicates moderate severity. The lack of an EPSS value suggests no publicly known exploit prevalence yet, although the vulnerability is exploitable remotely with high complexity. The CVE is not listed in the CISA KEV catalog. An attacker would need to access the mLogin Endpoint, craft a request that manipulates the authorization logic, and obtain unauthorized privileges.

Generated by OpenCVE AI on May 9, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of JeecgBoot that contains the fix for the mLogin authorization issue.
  • If an upgrade cannot be performed, restrict network access to the mLogin Endpoint to trusted systems only and monitor for attempted bypass attempts.
  • Implement application‑level monitoring for unusual authorization failures and review audit logs for signs of unauthorized access.

Generated by OpenCVE AI on May 9, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Sat, 09 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title JeecgBoot mLogin Endpoint LoginController.java authorization
Weaknesses CWE-285
CWE-639
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T16:01:32.052Z

Reserved: 2026-05-08T20:14:24.163Z

Link: CVE-2026-8196

cve-icon Vulnrichment

Updated: 2026-05-11T15:59:29.506Z

cve-icon NVD

Status : Deferred

Published: 2026-05-09T21:16:26.793

Modified: 2026-05-11T15:11:48.807

Link: CVE-2026-8196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses