CVE-2026-5999
Received Received - Intake
Improper Authorization in JeecgBoot SysAnnouncementController (Remote

Publication date: 2026-04-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5999
EUVD
EUVD-2026-21280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have several serious impacts:

  • Unauthorized users can publish fake announcements that trigger notifications to all users, potentially enabling phishing or social engineering attacks.
  • Attackers can delete or batch delete announcements created by others, leading to data loss and integrity problems.
  • The lack of proper authorization allows low-privilege users to escalate their privileges and perform administrative actions they should not be able to.
  • Overall, this can compromise the trustworthiness and reliability of system announcements and potentially disrupt normal operations.
Executive Summary

CVE-2026-5999 is a vulnerability in the JeecgBoot framework (up to version 3.9.1) affecting the SysAnnouncementController component, which manages system announcements. The core issue is the complete lack of authorization controls on the controller's endpoints, meaning that any authenticated user with a valid JWT token can perform administrative actions such as adding, editing, deleting, publishing, or revoking announcements.

This happens because the controller lacks permission annotations (like @RequiresPermissions) and the security filter only verifies token validity without enforcing user permissions. Additionally, there are no ownership checks, allowing users to manipulate announcements created by others, leading to horizontal privilege escalation.

Attackers can exploit this to publish fake announcements triggering system-wide notifications, delete or tamper with announcements, and cause data loss or integrity issues.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests targeting the JeecgBoot SysAnnouncementController endpoints under the route prefix `/sys/annountCement`. Specifically, look for unauthorized or unexpected POST requests to `/sys/annountCement/add` or GET requests to `/sys/annountCement/doReleaseData?id={ID}` that are used to add or publish announcements.

Since the vulnerability involves missing authorization checks, detection can include verifying if users with low privileges are able to perform administrative actions such as adding, editing, deleting, or publishing announcements.

Suggested commands to detect exploitation attempts include using tools like curl or network monitoring to check for suspicious requests:

  • curl -X POST -H "Authorization: Bearer <valid_JWT_token>" -d '{"title":"test","content":"test content"}' https://<target>/sys/annountCement/add
  • curl -X GET -H "Authorization: Bearer <valid_JWT_token>" https://<target>/sys/annountCement/doReleaseData?id=<announcement_id>

Additionally, review logs for any authenticated user performing these actions without proper permissions, and check for enumeration of announcement IDs via repeated requests to delete or modify announcements.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints and enforcing proper authorization controls.

  • Apply network-level restrictions such as firewall rules or API gateway policies to limit access to `/sys/annountCement` endpoints only to trusted users or IP addresses.
  • Temporarily disable or restrict the SysAnnouncementController endpoints if possible until a patch is available.
  • Monitor and audit all requests to these endpoints for suspicious activity, especially from low-privilege users.

Longer term, update the JeecgBoot framework to a version where the vendor has applied fixes that add `@RequiresPermissions` annotations to all management endpoints, implement ownership checks in edit and delete methods, and enforce permission data restrictions.

Compliance Impact

The vulnerability in CVE-2026-5999 leads to improper authorization in the JeecgBoot system announcements management, allowing any authenticated user to perform administrative actions such as creating, editing, publishing, and deleting announcements without proper permission checks.

This lack of access control and horizontal privilege escalation can result in unauthorized data manipulation, data loss, and the publishing of malicious content, which may compromise data integrity and confidentiality.

Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and protection against unauthorized data access or modification.

Specifically, the ability for low-privilege users to manipulate announcements and trigger system-wide notifications could lead to phishing or social engineering attacks, further increasing compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart