CVE-2026-7603
Path Traversal in JeecgBoot LoadFile Endpoint
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecgboot | jeecgboot | to 3.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7603 is a server-side request forgery (SSRF) vulnerability found in JeecgBoot versions up to 3.9.1. It affects the function checkPathTraversalBatch in the FileDownloadUtils.java file, specifically in the LoadFile Endpoint component. The vulnerability allows an attacker to manipulate the 'files' argument by injecting malicious HTTP URLs during the announcement file download process.
The attacker sends a POST request to the /sys/annountCement/add endpoint with malicious URLs in the 'files' field. The application only checks for path traversal strings like "../" or "%2e" but does not block HTTP URLs. Later, when a user or administrator triggers the download of announcement attachments via the GET /sys/annountCement/downLoadFiles endpoint, the server fetches these injected URLs without any SSRF protections.
This causes the server to make outbound HTTP requests to attacker-controlled or internal network addresses, potentially exposing sensitive internal data or cloud metadata. The vulnerability arises because the server-side code does not properly validate or restrict the URLs before fetching them.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform unauthorized server-side HTTP requests to internal or external systems. By exploiting it, attackers can scan internal networks, access local services, and retrieve sensitive information such as cloud metadata or internal credentials.
The attacker can inject malicious URLs that the server later fetches, potentially exposing internal data through downloaded files or enabling further attacks within the internal network. This can lead to data leakage, unauthorized access, and compromise of internal infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /sys/annountCement/add containing malicious HTTP URLs in the files field. These URLs may point to internal services or cloud metadata endpoints. Additionally, GET requests to /sys/annountCement/downLoadFiles?id=<announcement_id> that trigger server-side HTTP requests to unexpected external or internal addresses can indicate exploitation attempts.
To detect exploitation attempts, you can use network monitoring or web server logs to identify unusual outbound HTTP requests initiated by the server, especially those targeting internal IP ranges or cloud metadata services.
Suggested commands for detection include:
- Using grep on server logs to find suspicious POST requests: grep -i 'POST /sys/annountCement/add' /var/log/nginx/access.log | grep 'http'
- Monitoring outbound HTTP requests from the server to internal IP ranges or cloud metadata endpoints using tools like tcpdump or Wireshark: tcpdump -i eth0 'tcp and dst net 169.254.169.254 or dst net 10.0.0.0/8'
- Checking database entries for injected URLs in the files field of announcements, if database access is available, by querying the relevant table for HTTP URLs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade JeecgBoot to a version where this vulnerability is fixed once the vendor releases the patch.
Until the fix is available, you should restrict access to the vulnerable endpoints /sys/annountCement/add and /sys/annountCement/downLoadFiles to trusted users only, preferably administrators.
Additionally, implement network-level controls to prevent the server from making outbound HTTP requests to untrusted or internal IP addresses, such as firewall rules blocking outbound traffic to internal networks or cloud metadata IPs.
Review and sanitize inputs to the files field in the announcement feature to block HTTP URLs or other suspicious inputs if possible through custom rules or web application firewall (WAF) configurations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in JeecgBoot (CVE-2026-7603) is a server-side request forgery (SSRF) issue that allows attackers to inject and execute malicious HTTP URLs, potentially exposing internal network services and sensitive data such as cloud metadata.
Such exposure of sensitive internal data and credentials could lead to unauthorized access or data breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory requirements.