CVE-2026-9579
JeecgBoot User Identity Improper Access Control
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | to 3.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in JeecgBoot up to version 3.9.1, specifically in the function user.getUsername within the file /sys/user/login/setting/userEdit of the SysUser component. It arises from improper access controls due to manipulation of the argument userIdentity. An attacker can exploit this remotely to bypass intended access restrictions.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass access controls by manipulating the userIdentity argument, potentially gaining unauthorized access to user information or functionality. This could lead to information disclosure or unauthorized actions within the affected system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the affected component JeecgBoot to version 3.9.2 or later.
This upgrade addresses the improper access control issue in the user.getUsername function of the SysUser component.