CVE-2026-7602: Improper Authorization in JeecgBoot
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
AI Analysis
Technical Summary
This vulnerability in JeecgBoot (up to version 3.9.1) affects an unspecified functionality of the FillRuleUtil component, specifically the /sys/fillRule/edit endpoint. Improper authorization arises from manipulation of the ruleClass argument, enabling remote attackers with limited privileges to perform unauthorized actions. The vendor has acknowledged the issue and intends to provide a patch in a future release. The CVSS 4.0 base score is 5.3, reflecting medium severity with network attack vector, low complexity, no user interaction, and limited impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows remote attackers with limited privileges to bypass authorization controls in the FillRuleUtil component, potentially leading to unauthorized modifications or actions within the affected functionality. Although the exact impact is limited (low confidentiality, integrity, and availability impact), it could facilitate unauthorized changes that may affect system behavior or data integrity. No known active exploitation has been reported.
Mitigation Recommendations
Currently, no official patch or fix is available as the vendor plans to address the issue in an upcoming release. Users should monitor vendor advisories for the release of the fix and plan to upgrade promptly once available. Until then, restrict access to the /sys/fillRule/edit endpoint to trusted users only and apply any available access control measures to limit exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-7602: Improper Authorization in JeecgBoot
Description
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS v4.0
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in JeecgBoot (up to version 3.9.1) affects an unspecified functionality of the FillRuleUtil component, specifically the /sys/fillRule/edit endpoint. Improper authorization arises from manipulation of the ruleClass argument, enabling remote attackers with limited privileges to perform unauthorized actions. The vendor has acknowledged the issue and intends to provide a patch in a future release. The CVSS 4.0 base score is 5.3, reflecting medium severity with network attack vector, low complexity, no user interaction, and limited impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows remote attackers with limited privileges to bypass authorization controls in the FillRuleUtil component, potentially leading to unauthorized modifications or actions within the affected functionality. Although the exact impact is limited (low confidentiality, integrity, and availability impact), it could facilitate unauthorized changes that may affect system behavior or data integrity. No known active exploitation has been reported.
Mitigation Recommendations
Currently, no official patch or fix is available as the vendor plans to address the issue in an upcoming release. Users should monitor vendor advisories for the release of the fix and plan to upgrade promptly once available. Until then, restrict access to the /sys/fillRule/edit endpoint to trusted users only and apply any available access control measures to limit exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-01T11:57:48.649Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f57840cbff5d861067b4e1
Added to database: 5/2/2026, 4:06:24 AM
Last enriched: 5/10/2026, 2:16:42 AM
Last updated: 6/16/2026, 2:59:02 AM
Views: 85
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.