CVE-2026-7602
Improper Authorization in JeecgBoot FillRuleUtil Component
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecgboot | jeecgboot | to 3.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7602 is a Remote Code Execution (RCE) vulnerability in JeecgBoot versions up to 3.9.1. It arises from unsafe reflection in the FillRuleUtil component, specifically through the /sys/fillRule/edit endpoint. This endpoint lacks proper role-based authorization and input validation, allowing an authenticated user to manipulate the ruleClass parameter of an existing fill rule by injecting a malicious class name.
When a department is created via the /sys/sysDepart/add endpoint, the application retrieves the malicious rule and uses Java reflection (Class.forName().newInstance()) to instantiate the injected class, which leads to arbitrary code execution on the server.
The attack requires standard authentication but no specific role permissions, and depends on the presence of a suitable gadget chain (such as Apache Commons Collections) on the classpath to execute the malicious code.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code remotely on the affected system. By injecting malicious class names into the fill rule configuration, the attacker can gain control over the server's execution environment.
The impact includes potential full compromise of the affected system, unauthorized access to sensitive data, disruption of services, and the ability to perform further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting requests to the endpoints involved in the exploit, specifically POST requests to /sys/fillRule/edit and /sys/sysDepart/add.
Detection involves checking for unauthorized or suspicious modifications to the ruleClass parameter in the /sys/fillRule/edit endpoint, which could indicate an injection of a malicious class name.
You can use network monitoring tools or web application firewalls (WAF) to log and analyze POST requests to these endpoints.
Example commands to detect suspicious activity might include:
- Using curl or similar tools to manually check the endpoint behavior: curl -X POST https://yourserver/sys/fillRule/edit -d 'ruleClass=malicious.class.Name' -H 'Authorization: Bearer <token>'
- Using grep or log analysis to find suspicious ruleClass values in application logs: grep 'ruleClass' /path/to/jeecgboot/logs/*
- Monitoring HTTP access logs for POST requests to /sys/fillRule/edit and /sys/sysDepart/add endpoints with unusual payloads.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to upgrade the affected JeecgBoot component to a version where the vulnerability is fixed once the vendor releases the patch.
Until the fix is available, restrict access to the vulnerable endpoints (/sys/fillRule/edit and /sys/sysDepart/add) to trusted users only, and enforce strict role-based access control to prevent unauthorized authenticated users from accessing these endpoints.
Additionally, monitor logs for suspicious activity related to these endpoints and consider implementing Web Application Firewall (WAF) rules to block or alert on suspicious payloads targeting the ruleClass parameter.
Review and harden authentication and authorization mechanisms to ensure that only properly authorized users can perform sensitive operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in JeecgBoot allows improper authorization leading to remote code execution, which can compromise the confidentiality, integrity, and availability of data processed by the system.
Such a security flaw could potentially lead to unauthorized access or manipulation of sensitive personal or health data, thereby impacting compliance with regulations like GDPR and HIPAA that require strict controls over data access and protection.
Since the vulnerability allows authenticated users without proper role permissions to execute arbitrary code, it undermines role-based access control mechanisms, a key requirement in many compliance frameworks.
Organizations using affected versions of JeecgBoot should upgrade to the fixed version to mitigate risks and maintain compliance with relevant security standards and regulations.