CVE-2026-11502
Deferred Deferred - Pending Action
Open Redirect Vulnerability in JeecgBoot Third-Party Login

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11502
EUVD
EUVD-2026-35037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Open Redirect issue found in JeecgBoot up to version 3.9.2, specifically in the OAuth2 login flow within the Third-Party Login component. It arises from improper validation of the "state" parameter in the HTTP redirect process. Attackers can manipulate this parameter to redirect users to arbitrary, potentially malicious websites.

The vulnerability exists in two endpoints: /sys/thirdLogin/oauth2/{source}/login and /sys/thirdLogin/oauth2/{source}/callback. In the login endpoint, the user-controlled "state" parameter is appended directly to the OAuth URL without validation, enabling an attacker to craft malicious redirect URLs. In the callback endpoint, after OAuth authentication, a JWT token is appended to the manipulated "state" parameter and used in another redirect, which can leak the victim's authentication token.

Exploitation requires social engineering to trick victims into clicking a crafted OAuth login link. The attack is considered complex and difficult to execute, and the third-party login feature is optional and may not be enabled in many deployments.

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect users to malicious websites through manipulated OAuth login URLs. This can lead to phishing attacks or other social engineering exploits.

More critically, because the JWT authentication token is appended to the manipulated "state" parameter and included in the redirect, attackers can steal these tokens. With stolen tokens, attackers may gain unauthorized access to victim accounts, potentially compromising sensitive information or performing unauthorized actions.

However, the exploitability is considered low in real-world scenarios due to the need for user interaction (clicking a malicious link) and the optional nature of the third-party login feature.

Detection Guidance

This vulnerability involves manipulation of the "state" parameter in OAuth2 login endpoints, which can cause open redirects and token leakage.

To detect this vulnerability on your system or network, you can monitor HTTP requests to the endpoints /sys/thirdLogin/oauth2/{source}/login and /sys/thirdLogin/oauth2/{source}/callback for suspicious or unexpected "state" parameter values that cause redirects to external or untrusted domains.

Suggested commands include using curl or similar tools to test the redirect behavior by crafting requests with manipulated "state" parameters, for example:

  • curl -v "https://your-jeecgboot-domain/sys/thirdLogin/oauth2/dingtalk/login?state=https://malicious.example.com"
  • curl -v "https://your-jeecgboot-domain/sys/thirdLogin/oauth2/dingtalk/callback?state=https://malicious.example.com"

Additionally, network monitoring tools or web application firewalls (WAF) can be configured to alert on redirects to external domains originating from these endpoints.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the use of third-party login features (such as DingTalk or WeChat OAuth) if they are not essential, since this feature is optional and may not be enabled in most projects.

If third-party login is required, ensure that the "state" parameter is properly validated and sanitized to prevent open redirects and token leakage.

Apply available patches or upgrade JeecgBoot to a version where this vulnerability is fixed.

Educate users about the risk of social engineering attacks that could trick them into clicking malicious OAuth login links.

Compliance Impact

The vulnerability is an open redirect in the OAuth2 login flow that can be exploited to redirect users to malicious sites and potentially leak JWT authentication tokens, which could lead to unauthorized access to user accounts.

Such unauthorized access and token leakage could pose risks to the confidentiality and integrity of personal data, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the exploitability is considered difficult and requires social engineering to induce users to click malicious links, and the affected third-party login feature is optional and may not be enabled in most deployments.

Therefore, while the vulnerability could potentially impact compliance by enabling unauthorized data access, its real-world risk is low, and mitigation or disabling the affected feature can reduce compliance concerns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart