CVE-2026-5999
Improper Authorization in JeecgBoot SysAnnouncementController (Remote
Publication date: 2026-04-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecgboot | jeecgboot | to 3.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Unauthorized users can publish fake announcements that trigger notifications to all users, potentially enabling phishing or social engineering attacks.
- Attackers can delete or batch delete announcements created by others, leading to data loss and integrity problems.
- The lack of proper authorization allows low-privilege users to escalate their privileges and perform administrative actions they should not be able to.
- Overall, this can compromise the trustworthiness and reliability of system announcements and potentially disrupt normal operations.
Can you explain this vulnerability to me?
CVE-2026-5999 is a vulnerability in the JeecgBoot framework (up to version 3.9.1) affecting the SysAnnouncementController component, which manages system announcements. The core issue is the complete lack of authorization controls on the controller's endpoints, meaning that any authenticated user with a valid JWT token can perform administrative actions such as adding, editing, deleting, publishing, or revoking announcements.
This happens because the controller lacks permission annotations (like @RequiresPermissions) and the security filter only verifies token validity without enforcing user permissions. Additionally, there are no ownership checks, allowing users to manipulate announcements created by others, leading to horizontal privilege escalation.
Attackers can exploit this to publish fake announcements triggering system-wide notifications, delete or tamper with announcements, and cause data loss or integrity issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests targeting the JeecgBoot SysAnnouncementController endpoints under the route prefix `/sys/annountCement`. Specifically, look for unauthorized or unexpected POST requests to `/sys/annountCement/add` or GET requests to `/sys/annountCement/doReleaseData?id={ID}` that are used to add or publish announcements.
Since the vulnerability involves missing authorization checks, detection can include verifying if users with low privileges are able to perform administrative actions such as adding, editing, deleting, or publishing announcements.
Suggested commands to detect exploitation attempts include using tools like curl or network monitoring to check for suspicious requests:
- curl -X POST -H "Authorization: Bearer <valid_JWT_token>" -d '{"title":"test","content":"test content"}' https://<target>/sys/annountCement/add
- curl -X GET -H "Authorization: Bearer <valid_JWT_token>" https://<target>/sys/annountCement/doReleaseData?id=<announcement_id>
Additionally, review logs for any authenticated user performing these actions without proper permissions, and check for enumeration of announcement IDs via repeated requests to delete or modify announcements.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints and enforcing proper authorization controls.
- Apply network-level restrictions such as firewall rules or API gateway policies to limit access to `/sys/annountCement` endpoints only to trusted users or IP addresses.
- Temporarily disable or restrict the SysAnnouncementController endpoints if possible until a patch is available.
- Monitor and audit all requests to these endpoints for suspicious activity, especially from low-privilege users.
Longer term, update the JeecgBoot framework to a version where the vendor has applied fixes that add `@RequiresPermissions` annotations to all management endpoints, implement ownership checks in edit and delete methods, and enforce permission data restrictions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-5999 leads to improper authorization in the JeecgBoot system announcements management, allowing any authenticated user to perform administrative actions such as creating, editing, publishing, and deleting announcements without proper permission checks.
This lack of access control and horizontal privilege escalation can result in unauthorized data manipulation, data loss, and the publishing of malicious content, which may compromise data integrity and confidentiality.
Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and protection against unauthorized data access or modification.
Specifically, the ability for low-privilege users to manipulate announcements and trigger system-wide notifications could lead to phishing or social engineering attacks, further increasing compliance risks.