CVE-2026-11464
Deferred Deferred - Pending Action
Information Disclosure in JeecgBoot User List Endpoint

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A vulnerability was identified in JeecgBoot up to 3.9.2. Affected by this vulnerability is the function queryPageList of the file src\main\java\org\jeecg\modules\system\controller\SysUserController.java of the component User List Endpoint. The manipulation of the argument salt leads to information disclosure. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. A fix is planned for the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11464
EUVD
EUVD-2026-34995
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecg jeecgboot to 3.9.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in JeecgBoot involves information disclosure through manipulation of the salt argument in the User List Endpoint. This could potentially lead to unauthorized access to user information.

Such information disclosure vulnerabilities may impact compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.

However, the CVE description does not explicitly mention compliance impacts or specific data types affected, so the exact effect on compliance cannot be determined from the provided information.

Executive Summary

This vulnerability exists in JeecgBoot up to version 3.9.2, specifically in the function queryPageList within the SysUserController.java file of the User List Endpoint component.

The issue arises from the manipulation of the argument 'salt', which can lead to information disclosure.

The attack can be initiated remotely but is considered to have high complexity, making exploitation difficult.

Although exploitation is challenging, a public exploit is available and could be used.

A fix for this vulnerability is planned for an upcoming release.

Impact Analysis

This vulnerability can lead to information disclosure through manipulation of the 'salt' argument in the User List Endpoint.

Since the attack can be performed remotely, sensitive information may be exposed to unauthorized parties.

However, the attack is of high complexity and difficult to exploit, which may reduce the likelihood of successful exploitation.

The availability of a public exploit increases the risk that attackers might attempt to leverage this vulnerability.

Detection Guidance

The vulnerability can be detected by checking if the `/sys/user/list` API endpoint allows querying sensitive fields such as `salt` or `password` via GET parameters. An authenticated user can attempt to perform fuzzy queries using parameters like `salt=xxx*` or `password=xxx*` to see if the system returns sensitive information.

To detect this on your system, you can try sending HTTP GET requests to the vulnerable endpoint with query parameters targeting sensitive fields and observe if any sensitive data is disclosed.

  • Example curl command to test the vulnerability: curl -G -u <username>:<password> 'http://<host>/sys/user/list' --data-urlencode 'salt=xxx*'
  • Alternatively, use tools like Burp Suite or Postman to send authenticated requests with parameters such as `password=xxx*` or `salt=xxx*` to check for information disclosure.
Mitigation Strategies

Immediate mitigation involves modifying the `queryPageList` method in the `SysUserController` to explicitly set the `password` and `salt` fields to null before generating the query. This prevents these sensitive fields from being included in query conditions and exposed via the API.

Additionally, ensure that only authorized users have access to the `/sys/user/list` endpoint and consider adding stricter input validation or filtering to disallow querying sensitive fields.

Monitor for any suspicious activity involving brute-force or fuzzy queries on sensitive fields and apply patches or updates once the official fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11464. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart