CVE-2026-58375
Received Received - Intake

Unauthenticated Report Export in JimuReport

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58375
EUVD
EUVD-2026-40362

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58375 is a critical vulnerability in JimuReport version 2.5.0 and earlier that allows unauthenticated remote attackers to export reports via the unprotected POST /jmreport/auto/export endpoint.

The vulnerability exists because the endpoint is annotated with @JimuNoLoginRequired, which causes the JimuReportTokenInterceptor to skip all authentication and authorization checks.

As a result, an attacker can enumerate Snowflake report identifiers and export the full contents of any report, including sensitive data returned by SQL queries and any credentials embedded in the report's data sources.

Impact Analysis

This vulnerability allows unauthenticated attackers to access and export sensitive report data without any authorization.

  • Attackers can obtain business information, personally identifiable information (PII), and embedded credentials from the reports.
  • The exported data is streamed as a ZIP file containing an Excel file, which can be used for further exploitation or data leakage.

Such unauthorized data exposure can lead to data breaches, loss of confidentiality, and potential misuse of sensitive information.

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the POST /jmreport/auto/export endpoint on JimuReport versions up to 2.5.0. An attacker can send a POST request with a report ID to this endpoint without any authentication token or cookie and receive the exported report data.

A simple command to test this would be using curl to send a POST request to the endpoint with a report ID parameter and observe if the report data is returned without authentication.

  • curl -X POST http://<target-host>/jmreport/auto/export -d 'reportId=<report_id>' -v

If the response contains a ZIP file or report data without requiring authentication, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include removing the @JimuNoLoginRequired annotation from the /jmreport/auto/export endpoint to enforce authentication and authorization checks.

Alternatively, if unauthenticated access is necessary, implement a secure API key or HMAC mechanism to protect the endpoint.

Additionally, upgrading JimuReport to a version where this vulnerability is fixed or applying patches that enforce authentication on this endpoint is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart