CVE-2026-3672 is a SQL injection vulnerability identified in JeecgBoot, an open-source rapid development platform. The vulnerability resides in the isExistSqlInjectKeyword function of the /jeecg-boot/sys/api/getDictItems API endpoint. This function is intended to detect SQL injection keywords but is flawed, allowing attackers to bypass detection and inject malicious SQL commands. The injection occurs due to improper sanitization and validation of user-supplied input, enabling attackers to manipulate backend SQL queries remotely. Exploitation requires no user interaction and no authentication but does require low privileges, indicating that an attacker with limited access can leverage this flaw. The vulnerability affects versions 3.9.0 and 3.9.1 of JeecgBoot. The CVSS 4.0 base score is 5.3 (medium severity), reflecting moderate impact on confidentiality, integrity, and availability with relatively low complexity of attack. Although no public patches or fixes are linked yet, the exploit has been publicly disclosed, increasing the risk of exploitation. Organizations using JeecgBoot should be aware of this vulnerability and monitor for suspicious activity targeting the affected API endpoint.

This vulnerability can allow attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or denial of service. The partial compromise of confidentiality means sensitive data could be exposed. Integrity impacts include unauthorized changes to data, which could affect application behavior or data trustworthiness. Availability could be affected if attackers execute commands that disrupt database operations. Since the attack can be performed remotely without user interaction or authentication, the attack surface is broad. Organizations relying on JeecgBoot for critical applications risk data breaches, operational disruption, and reputational damage. The medium severity score indicates that while the impact is significant, exploitation complexity and scope are somewhat limited. However, the public disclosure of the exploit increases the urgency to address this vulnerability to prevent potential attacks.

Organizations should immediately review their use of JeecgBoot versions 3.9.0 and 3.9.1 and plan to upgrade to a patched version once available. In the absence of an official patch, implement strict input validation and sanitization on all inputs to the /jeecg-boot/sys/api/getDictItems endpoint, especially focusing on SQL injection keyword detection and blocking. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this endpoint. Restrict access to the vulnerable API endpoint to trusted networks or authenticated users where possible, reducing exposure. Monitor logs for unusual SQL query patterns or errors indicative of injection attempts. Conduct regular security assessments and code reviews focusing on input handling in the affected function. Additionally, consider database-level protections such as limiting database user permissions to minimize impact if exploitation occurs. Maintain up-to-date backups to enable recovery in case of data compromise.