CVE-2026-7602
Deferred Deferred - Pending Action
Improper Authorization in JeecgBoot FillRuleUtil Component

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7602
EUVD
EUVD-2026-26730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7602 is a Remote Code Execution (RCE) vulnerability in JeecgBoot versions up to 3.9.1. It arises from unsafe reflection in the FillRuleUtil component, specifically through the /sys/fillRule/edit endpoint. This endpoint lacks proper role-based authorization and input validation, allowing an authenticated user to manipulate the ruleClass parameter of an existing fill rule by injecting a malicious class name.

When a department is created via the /sys/sysDepart/add endpoint, the application retrieves the malicious rule and uses Java reflection (Class.forName().newInstance()) to instantiate the injected class, which leads to arbitrary code execution on the server.

The attack requires standard authentication but no specific role permissions, and depends on the presence of a suitable gadget chain (such as Apache Commons Collections) on the classpath to execute the malicious code.

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary code remotely on the affected system. By injecting malicious class names into the fill rule configuration, the attacker can gain control over the server's execution environment.

The impact includes potential full compromise of the affected system, unauthorized access to sensitive data, disruption of services, and the ability to perform further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring and inspecting requests to the endpoints involved in the exploit, specifically POST requests to /sys/fillRule/edit and /sys/sysDepart/add.

Detection involves checking for unauthorized or suspicious modifications to the ruleClass parameter in the /sys/fillRule/edit endpoint, which could indicate an injection of a malicious class name.

You can use network monitoring tools or web application firewalls (WAF) to log and analyze POST requests to these endpoints.

Example commands to detect suspicious activity might include:

  • Using curl or similar tools to manually check the endpoint behavior: curl -X POST https://yourserver/sys/fillRule/edit -d 'ruleClass=malicious.class.Name' -H 'Authorization: Bearer <token>'
  • Using grep or log analysis to find suspicious ruleClass values in application logs: grep 'ruleClass' /path/to/jeecgboot/logs/*
  • Monitoring HTTP access logs for POST requests to /sys/fillRule/edit and /sys/sysDepart/add endpoints with unusual payloads.
Mitigation Strategies

The immediate recommended mitigation is to upgrade the affected JeecgBoot component to a version where the vulnerability is fixed once the vendor releases the patch.

Until the fix is available, restrict access to the vulnerable endpoints (/sys/fillRule/edit and /sys/sysDepart/add) to trusted users only, and enforce strict role-based access control to prevent unauthorized authenticated users from accessing these endpoints.

Additionally, monitor logs for suspicious activity related to these endpoints and consider implementing Web Application Firewall (WAF) rules to block or alert on suspicious payloads targeting the ruleClass parameter.

Review and harden authentication and authorization mechanisms to ensure that only properly authorized users can perform sensitive operations.

Compliance Impact

The vulnerability in JeecgBoot allows improper authorization leading to remote code execution, which can compromise the confidentiality, integrity, and availability of data processed by the system.

Such a security flaw could potentially lead to unauthorized access or manipulation of sensitive personal or health data, thereby impacting compliance with regulations like GDPR and HIPAA that require strict controls over data access and protection.

Since the vulnerability allows authenticated users without proper role permissions to execute arbitrary code, it undermines role-based access control mechanisms, a key requirement in many compliance frameworks.

Organizations using affected versions of JeecgBoot should upgrade to the fixed version to mitigate risks and maintain compliance with relevant security standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart