GHSA-6w4x-5vf2-7756
JeecgBoot versions through 3.9.2 have a broken access control vulnerability allowing authenticated low-privilege users to fully manage OpenAPI credentials via endpoints lacking proper authorization. This enables attackers to list, add, edit, and delete all API key pairs, with secret keys exposed in plaintext, risking credential theft and unauthorized API access.
AI Analysis
Technical Summary
JeecgBoot through version 3.9.2 contains a broken access control vulnerability (CWE-862) in the OpenApiAuthController and OpenApiPermissionController endpoints. These endpoints do not enforce Shiro authorization annotations, allowing authenticated users with low privileges to perform full CRUD operations on OpenAPI credentials. This includes listing all AK/SK credential pairs with secret keys exposed in plaintext, which can lead to credential theft and unauthorized invocation of the OpenAPI surface. The vulnerability is identified as CVE-2026-58377 and is rated high severity.
Potential Impact
Authenticated low-privilege users can exploit this vulnerability to steal OpenAPI credentials by accessing endpoints that expose secret keys in plaintext. This enables unauthorized full control over API credentials, potentially allowing attackers to invoke the OpenAPI with stolen credentials, leading to unauthorized access and actions within the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected endpoints and review user privileges to minimize exposure. Monitor for updates from the JeecgBoot vendor regarding patches or official mitigations.
GHSA-6w4x-5vf2-7756
Description
JeecgBoot versions through 3.9.2 have a broken access control vulnerability allowing authenticated low-privilege users to fully manage OpenAPI credentials via endpoints lacking proper authorization. This enables attackers to list, add, edit, and delete all API key pairs, with secret keys exposed in plaintext, risking credential theft and unauthorized API access.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
JeecgBoot through version 3.9.2 contains a broken access control vulnerability (CWE-862) in the OpenApiAuthController and OpenApiPermissionController endpoints. These endpoints do not enforce Shiro authorization annotations, allowing authenticated users with low privileges to perform full CRUD operations on OpenAPI credentials. This includes listing all AK/SK credential pairs with secret keys exposed in plaintext, which can lead to credential theft and unauthorized invocation of the OpenAPI surface. The vulnerability is identified as CVE-2026-58377 and is rated high severity.
Potential Impact
Authenticated low-privilege users can exploit this vulnerability to steal OpenAPI credentials by accessing endpoints that expose secret keys in plaintext. This enables unauthorized full control over API credentials, potentially allowing attackers to invoke the OpenAPI with stolen credentials, leading to unauthorized access and actions within the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected endpoints and review user privileges to minimize exposure. Monitor for updates from the JeecgBoot vendor regarding patches or official mitigations.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-6w4x-5vf2-7756
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-58377"]
- Ecosystems
- []
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a4452e227e9c797198e1260
Added to database: 06/30/2026, 23:36:02 UTC
Last enriched: 06/30/2026, 23:48:52 UTC
Last updated: 06/30/2026, 23:51:28 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.