CVE-2026-58375: Missing Authentication for Critical Function in jeecgboot jimureport
JimuReport versions up to 2.5.0 have a missing authentication vulnerability on the POST /jmreport/auto/export endpoint. This endpoint is accessible without authentication due to the @JimuNoLoginRequired annotation, allowing unauthenticated attackers to export any report by enumerating report IDs. The exported reports include data returned by SQL queries and any embedded credentials in data sources. The vulnerability has a high severity with a CVSS score of 7.5. The product is a cloud service, and the vendor manages remediation server-side.
AI Analysis
Technical Summary
CVE-2026-58375 describes a missing authentication vulnerability in JimuReport (jeecgboot) through version 2.5.0. The POST /jmreport/auto/export endpoint is annotated with @JimuNoLoginRequired, causing the JimuReportTokenInterceptor to skip authentication and authorization checks. Consequently, an unauthenticated remote attacker can enumerate report identifiers and export the full contents of any report, including sensitive data from SQL queries and embedded credentials. This issue affects all versions up to and including 2.5.0. The product is cloud-hosted, and the vendor is responsible for patching and mitigating this vulnerability.
Potential Impact
An unauthenticated remote attacker can access and export any report from the JimuReport service, potentially exposing sensitive data returned by SQL queries and credentials embedded in data sources. This leads to a confidentiality breach with no impact on integrity or availability reported.
Mitigation Recommendations
Since JimuReport is a cloud-hosted service, the vendor manages remediation server-side. Users should consult the vendor advisory for confirmation of patch deployment and ensure their service is updated accordingly. No additional user action is required if the vendor has applied the fix.
CVE-2026-58375: Missing Authentication for Critical Function in jeecgboot jimureport
Description
JimuReport versions up to 2.5.0 have a missing authentication vulnerability on the POST /jmreport/auto/export endpoint. This endpoint is accessible without authentication due to the @JimuNoLoginRequired annotation, allowing unauthenticated attackers to export any report by enumerating report IDs. The exported reports include data returned by SQL queries and any embedded credentials in data sources. The vulnerability has a high severity with a CVSS score of 7.5. The product is a cloud service, and the vendor manages remediation server-side.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58375 describes a missing authentication vulnerability in JimuReport (jeecgboot) through version 2.5.0. The POST /jmreport/auto/export endpoint is annotated with @JimuNoLoginRequired, causing the JimuReportTokenInterceptor to skip authentication and authorization checks. Consequently, an unauthenticated remote attacker can enumerate report identifiers and export the full contents of any report, including sensitive data from SQL queries and embedded credentials. This issue affects all versions up to and including 2.5.0. The product is cloud-hosted, and the vendor is responsible for patching and mitigating this vulnerability.
Potential Impact
An unauthenticated remote attacker can access and export any report from the JimuReport service, potentially exposing sensitive data returned by SQL queries and credentials embedded in data sources. This leads to a confidentiality breach with no impact on integrity or availability reported.
Mitigation Recommendations
Since JimuReport is a cloud-hosted service, the vendor manages remediation server-side. Users should consult the vendor advisory for confirmation of patch deployment and ensure their service is updated accordingly. No additional user action is required if the vendor has applied the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-30T12:43:19.294Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a43f43127e9c79719185fa9
Added to database: 06/30/2026, 16:52:01 UTC
Last enriched: 06/30/2026, 17:06:23 UTC
Last updated: 06/30/2026, 17:06:23 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.