CVE-2026-11458
Deferred Deferred - Pending Action

Information Disclosure in JeeWMS Boot Actuator Endpoint

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-28
AI Q&A
2026-06-07
EPSS Evaluated
2026-06-26
NVD
CVE-2026-11458
EUVD
EUVD-2026-34988

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
huayi_technology jeewms to 141740afb2ba14d441c82a833d0a418d07ca2d69 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-11458 is an unauthenticated sensitive information disclosure in the JEEWMS software from Huayi Technology. It occurs because certain Spring Boot Actuator endpoints, specifically /base-boot/actuator/env and /base-boot/actuator/heapdump, are exposed without requiring authentication.

These endpoints can be accessed by anyone remotely, allowing attackers to retrieve critical configuration secrets, runtime environment data, and a full JVM heap dump. The /env endpoint may reveal sensitive application configuration, environment variables, database settings, and integration parameters. The /heapdump endpoint allows downloading the entire JVM heap, which can contain in-memory objects such as usernames, passwords, session tokens, API keys, and other sensitive data.

The root cause is an insecure configuration in the ShiroConfig file, where the /actuator/** path is explicitly allowed for anonymous access, enabling unauthenticated users to exploit these endpoints.

Impact Analysis

This vulnerability can lead to significant security impacts including information disclosure of sensitive data such as credentials and session tokens.

  • Attackers can extract valid usernames, passwords, API keys, and session tokens.
  • It can enable privilege escalation, allowing attackers to gain higher access rights.
  • It facilitates lateral movement within the internal network, increasing the scope of compromise.
  • It can be chained into further remote compromise of the system.
Detection Guidance

This vulnerability can be detected by checking if the sensitive Spring Boot Actuator endpoints are accessible without authentication. Specifically, you can test access to the endpoints `/base-boot/actuator/env` and `/base-boot/actuator/heapdump` to see if they return sensitive information.

  • Use curl or similar HTTP client commands to request these endpoints and observe if they respond without requiring authentication.
  • Example commands to test accessibility:
  • curl -v http://<target-host>/base-boot/actuator/env
  • curl -v http://<target-host>/base-boot/actuator/heapdump

If these endpoints return data without authentication, the system is vulnerable to information disclosure.

Mitigation Strategies

Immediate mitigation involves restricting access to the sensitive Spring Boot Actuator endpoints to prevent unauthenticated users from accessing them.

  • Configure proper access controls in the application, especially in the ShiroConfig or equivalent security configuration, to disallow anonymous access to `/actuator/**` endpoints.
  • Ensure that authentication and authorization are required for accessing management endpoints such as `/base-boot/actuator/env` and `/base-boot/actuator/heapdump`.
  • If possible, disable or limit exposure of these actuator endpoints in production environments.

These steps will help prevent attackers from exploiting the vulnerability to disclose sensitive information.

Compliance Impact

The vulnerability CVE-2026-11458 allows unauthenticated access to sensitive information through exposed Spring Boot Actuator endpoints, potentially disclosing configuration secrets, environment variables, and sensitive in-memory data such as usernames, passwords, session tokens, and API keys.

Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent unauthorized access and data breaches.

Therefore, this vulnerability can negatively impact compliance by exposing sensitive data that should be protected under these standards, increasing the risk of regulatory penalties and loss of trust.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart