Description
A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises in JeecgBoot’s SysUser component when the user.getUsername function processes the userIdentity argument. An attacker can manipulate this argument to bypass the intended access checks, allowing unauthorized operations or data access that should be restricted to authenticated users. The vulnerability is classified as a medium severity issue (CVSS 5.3) and carries the risk of unauthorized account access, potentially leading to confidentiality and integrity violations for affected users.

Affected Systems

JeecgBoot versions up to and including 3.9.1 are affected, specifically the userEdit endpoint located at /sys/user/login/setting/userEdit. The fix is available in version 3.9.2 and later releases. The affected component is JeecgBoot.

Risk and Exploitability

The exploit can be launched remotely, and a public exploit exists, meaning attackers could target vulnerable instances over the network. The EPSS score is not available, but the CVSS rating of 5.3 indicates a moderate risk. The vulnerability is not listed in CISA’s KEV catalog, but the publicly available exploit and the potential for unauthorized access underscore the need for timely remediation. Attackers would likely send crafted HTTP requests to the userEdit API, supplying a manipulated userIdentity value to impersonate another user or elevate privileges.

Generated by OpenCVE AI on May 26, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to JeecgBoot 3.9.2 or later, which removes the improper access control flaw in the user.getUsername function.
  • Restrict the /sys/user/login/setting/userEdit endpoint so that only authenticated users with the appropriate role permissions can invoke it; enforce strict validation of the supplied userIdentity argument in any custom middleware.
  • Temporarily block or rate‑limit requests to the affected endpoint from untrusted IP addresses, and enable detailed logging to detect and deter unauthorized access attempts until a permanent patch is applied.

Generated by OpenCVE AI on May 26, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.
Title JeecgBoot SysUser userEdit user.getUsername access control
First Time appeared Jeecgboot
Jeecgboot jeecgboot
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:jeecgboot:jeecgboot:*:*:*:*:*:*:*:*
Vendors & Products Jeecgboot
Jeecgboot jeecgboot
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecgboot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T19:45:09.078Z

Reserved: 2026-05-26T12:50:05.008Z

Link: CVE-2026-9579

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T21:16:44.980

Modified: 2026-05-26T21:16:44.980

Link: CVE-2026-9579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T22:00:15Z

Weaknesses