Executive Summary

CVE-2026-5616 is a security vulnerability in JeecgBoot versions 3.9.0 and 3.9.1 affecting the AI Chat Module. The vulnerability arises because the method responsible for handling AI chat requests, specifically the sendWithDefault() method in AiragChatServiceImpl.java, loads sensitive AI business tools without verifying if the user is authenticated.

The AI chat endpoint /airag/chat/send is publicly accessible without authentication due to the @IgnoreAuth annotation. This allows unauthenticated attackers to invoke sensitive backend tools such as add_user, query_user_by_name, query_all_roles, and grant_user_roles by sending natural language instructions.

Exploiting this vulnerability enables attackers to create backdoor admin accounts, retrieve sensitive user information, enumerate system roles, and escalate privileges, potentially leading to full system compromise.

The root cause is the lack of authentication checks before loading these sensitive tools for the default AI application. The vulnerability was fixed by adding authentication verification to ensure only logged-in users can access these tools, and further enhanced by implementing fine-grained permission checks to restrict access to privileged operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over the affected system.

• Attackers can create backdoor administrator accounts without authentication.
• Sensitive user information such as phone numbers, emails, and user IDs can be disclosed.
• System roles can be enumerated, revealing internal permission structures.
• Privilege escalation is possible by granting admin roles to unauthorized users.
• Ultimately, attackers can gain full system control remotely via the AI chat interface.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the AI chat endpoint `/airag/chat/send` for unauthorized attempts to invoke sensitive backend tools such as `add_user`, `query_user_by_name`, `query_all_roles`, and `grant_user_roles` without authentication.

Since the endpoint is publicly accessible and marked with `@IgnoreAuth`, suspicious activity may include natural language commands sent to this endpoint that attempt to manipulate user accounts or roles.

To detect exploitation attempts, you can analyze web server logs or use network monitoring tools to filter HTTP POST requests to `/airag/chat/send` containing keywords related to these sensitive tools.

• Use command-line tools like `grep` or `jq` to search logs for suspicious payloads targeting the AI chat endpoint, for example:
• grep -i 'add_user' /var/log/nginx/access.log
• grep -i 'grant_user_roles' /var/log/nginx/access.log
• Use network packet capture tools like `tcpdump` or `Wireshark` to filter HTTP POST requests to `/airag/chat/send` and inspect payloads for unauthorized commands.

Additionally, reviewing application logs for calls to the `sendWithDefault()` method without associated authenticated user context can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the official patch that adds authentication and authorization checks before loading sensitive AI business tools in the `sendWithDefault()` method of the `AiragChatServiceImpl.java` file.

This patch ensures that only authenticated users with appropriate permissions can access sensitive tools like `add_user` and `grant_user_roles`, preventing unauthenticated attackers from exploiting the AI chat interface.

If applying the patch immediately is not possible, consider restricting access to the `/airag/chat/send` endpoint by network-level controls such as firewall rules or API gateway policies to limit exposure.

Additionally, monitor logs for suspicious activity targeting this endpoint and disable or restrict the default AI application if feasible until the patch can be applied.

Following the patch, verify that the system enforces fine-grained permission checks for sensitive operations invoked via the AI chat interface.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive AI business tools that can disclose personal user information such as phone numbers, emails, and user IDs, create backdoor admin accounts, and escalate privileges to gain full system control.

Such unauthorized access and potential data disclosure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and ensure data confidentiality and integrity.

By enabling attackers to bypass authentication and perform administrative actions remotely, this vulnerability undermines compliance with standards mandating access controls, auditability, and protection of sensitive data.

The patch and subsequent fixes introduce authentication and fine-grained permission checks to restrict access to sensitive tools, thereby mitigating risks that could lead to non-compliance with such regulations.

Useful 0 Not Useful 0