Description
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw in the LoginController.selectDepart function of JeecgBoot, which allows an attacker to manipulate the /sys/selectDepart endpoint and bypass authentication checks, thereby gaining unauthorized access to sensitive data or operations. The weakness is rooted in insecure permission handling (CWE-266) and improper access control (CWE-284), enabling attackers to read or potentially modify data that should be restricted, compromising confidentiality and integrity.

Affected Systems

JeecgBoot JeecgBoot software up to version 3.9.1 is affected. All installations running these versions or earlier are vulnerable. Upgrading to version 3.9.2, which contains the fix for the LoginController selectDepart access control issue, removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the exploit has been publicly disclosed, allowing remote attackers to perform the attack without additional privileges. EPSS is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is likely remote, involving crafted HTTP requests to the /sys/selectDepart endpoint, and requires no local credentials. The risk is moderate due to the public disclosure and potential for unauthorized data access.

Generated by OpenCVE AI on May 26, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to JeecgBoot 3.9.2 to apply the vendor‑issued fix.
  • Configure the application so that only users with appropriate roles can access the /sys/selectDepart endpoint, enforcing strict role‑based access controls.
  • Monitor authentication and request logs for repeated attempts to the /sys/selectDepart endpoint to detect potential exploitation attempts.

Generated by OpenCVE AI on May 26, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.
Title JeecgBoot selectDepart LoginController.selectDepart access control
First Time appeared Jeecgboot
Jeecgboot jeecgboot
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:jeecgboot:jeecgboot:*:*:*:*:*:*:*:*
Vendors & Products Jeecgboot
Jeecgboot jeecgboot
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecgboot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T20:15:14.623Z

Reserved: 2026-05-26T12:50:07.533Z

Link: CVE-2026-9580

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T21:16:45.167

Modified: 2026-05-26T21:16:45.167

Link: CVE-2026-9580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:45:16Z

Weaknesses