CVE-2026-7306
Hard-Coded Cryptographic Key in xxl-job OpenAPI Endpoint
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xuxueli | xxl-job | to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Xuxueli xxl-job up to version 3.3.2, specifically in an unknown function within the OpenAPI Endpoint component of the file OpenApiController.java. The issue arises from manipulation of the argument named default_token, which leads to the use of a hard-coded cryptographic key. This flaw can be exploited remotely, but the attack requires a high level of complexity and is considered difficult to execute. The exploit has been publicly disclosed and may be used by attackers.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to the compromise of confidentiality, integrity, and availability of the affected system. Since it involves the use of a hard-coded cryptographic key, attackers might bypass security controls or gain unauthorized access remotely. However, due to the high complexity and difficulty of the attack, the risk is moderate.