CVE-2026-7603
Deferred Deferred - Pending Action
Path Traversal in JeecgBoot LoadFile Endpoint

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7603
EUVD
EUVD-2026-26738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7603 is a server-side request forgery (SSRF) vulnerability found in JeecgBoot versions up to 3.9.1. It affects the function checkPathTraversalBatch in the FileDownloadUtils.java file, specifically in the LoadFile Endpoint component. The vulnerability allows an attacker to manipulate the 'files' argument by injecting malicious HTTP URLs during the announcement file download process.

The attacker sends a POST request to the /sys/annountCement/add endpoint with malicious URLs in the 'files' field. The application only checks for path traversal strings like "../" or "%2e" but does not block HTTP URLs. Later, when a user or administrator triggers the download of announcement attachments via the GET /sys/annountCement/downLoadFiles endpoint, the server fetches these injected URLs without any SSRF protections.

This causes the server to make outbound HTTP requests to attacker-controlled or internal network addresses, potentially exposing sensitive internal data or cloud metadata. The vulnerability arises because the server-side code does not properly validate or restrict the URLs before fetching them.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized server-side HTTP requests to internal or external systems. By exploiting it, attackers can scan internal networks, access local services, and retrieve sensitive information such as cloud metadata or internal credentials.

The attacker can inject malicious URLs that the server later fetches, potentially exposing internal data through downloaded files or enabling further attacks within the internal network. This can lead to data leakage, unauthorized access, and compromise of internal infrastructure.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /sys/annountCement/add containing malicious HTTP URLs in the files field. These URLs may point to internal services or cloud metadata endpoints. Additionally, GET requests to /sys/annountCement/downLoadFiles?id=<announcement_id> that trigger server-side HTTP requests to unexpected external or internal addresses can indicate exploitation attempts.

To detect exploitation attempts, you can use network monitoring or web server logs to identify unusual outbound HTTP requests initiated by the server, especially those targeting internal IP ranges or cloud metadata services.

Suggested commands for detection include:

  • Using grep on server logs to find suspicious POST requests: grep -i 'POST /sys/annountCement/add' /var/log/nginx/access.log | grep 'http'
  • Monitoring outbound HTTP requests from the server to internal IP ranges or cloud metadata endpoints using tools like tcpdump or Wireshark: tcpdump -i eth0 'tcp and dst net 169.254.169.254 or dst net 10.0.0.0/8'
  • Checking database entries for injected URLs in the files field of announcements, if database access is available, by querying the relevant table for HTTP URLs.
Mitigation Strategies

The immediate mitigation step is to upgrade JeecgBoot to a version where this vulnerability is fixed once the vendor releases the patch.

Until the fix is available, you should restrict access to the vulnerable endpoints /sys/annountCement/add and /sys/annountCement/downLoadFiles to trusted users only, preferably administrators.

Additionally, implement network-level controls to prevent the server from making outbound HTTP requests to untrusted or internal IP addresses, such as firewall rules blocking outbound traffic to internal networks or cloud metadata IPs.

Review and sanitize inputs to the files field in the announcement feature to block HTTP URLs or other suspicious inputs if possible through custom rules or web application firewall (WAF) configurations.

Compliance Impact

The vulnerability in JeecgBoot (CVE-2026-7603) is a server-side request forgery (SSRF) issue that allows attackers to inject and execute malicious HTTP URLs, potentially exposing internal network services and sensitive data such as cloud metadata.

Such exposure of sensitive internal data and credentials could lead to unauthorized access or data breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart