Description
A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AiragModelController in JeecgBoot permits manipulation of the queryById argument list to bypass standard access controls. The flaw stems from insufficient validation of user‑supplied arguments, allowing a remote attacker to request data that should be restricted. This results in unauthorized access to application data and potentially higher‑privilege operations, representing an access control weakness tied to CWE‑266 and CWE‑284.

Affected Systems

Affected products are JeecgBoot applications up to version 3.9.1. The vulnerability resides in the AiragModelController component and is resolved by upgrading to release 3.9.2. No other versions or components are listed as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and no EPSS value is available; the vulnerability is not currently listed in the CISA KEV catalog. The flaw can be exploited remotely over the web interface, and an exploit is publicly available. A remote attacker can craft queryById requests to bypass permissions, subject only to network access to the affected endpoint.

Generated by OpenCVE AI on May 27, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JeecgBoot to version 3.9.2 or later, which includes the fix for AiragModelController access controls.
  • Validate that the ACL implementation verifies the user’s identity and permissions before processing any queryById parameters, ensuring that users cannot access resources they are not authorized to view.
  • Deploy web application firewall or intrusion detection rules that identify and block suspicious queryById manipulations or unauthorized access attempts.

Generated by OpenCVE AI on May 27, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded.
Title JeecgBoot AiragModelController access control
First Time appeared Jeecgboot
Jeecgboot jeecgboot
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:jeecgboot:jeecgboot:*:*:*:*:*:*:*:*
Vendors & Products Jeecgboot
Jeecgboot jeecgboot
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecgboot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-27T14:25:39.195Z

Reserved: 2026-05-26T16:06:37.880Z

Link: CVE-2026-9604

cve-icon Vulnrichment

Updated: 2026-05-27T14:25:34.611Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T23:16:21.433

Modified: 2026-06-17T11:05:31.973

Link: CVE-2026-9604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T00:30:20Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-284

    Improper Access Control