JeecgBoot Broken Access Control in OpenAPI Credentials

Executive Summary

CVE-2026-58377 is a broken access control vulnerability in JeecgBoot through version 3.9.2. It allows authenticated users with low privileges to fully create, read, update, and delete OpenAPI credentials by accessing endpoints that lack proper authorization checks. Specifically, the OpenApiAuthController and OpenApiPermissionController endpoints do not enforce Shiro authorization annotations, enabling attackers to manipulate all Access Key (AK) and Secret Key (SK) credential pairs.

Additionally, the /openapi/call/{path} endpoint is publicly accessible without authentication and only verifies the Access Key, failing to validate the Secret Key signature. This flaw allows attackers to invoke any configured API routes by supplying only the Access Key, with the server generating a JWT token on behalf of the credential owner, potentially an administrator.

Together, these issues enable an attacker to steal credentials, modify or delete them, and perform unauthorized privileged API calls, leading to significant unauthorized access and control over the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including credential theft and unauthorized access to the system's OpenAPI surface. An attacker with low privileges can list all Access Key and Secret Key pairs, with secret keys exposed in plaintext, allowing them to steal sensitive credentials.

With these stolen or manipulated credentials, attackers can add, edit, or delete credentials, and invoke privileged API routes as if they were administrators. This can lead to unauthorized control over the system, data exposure, and potential disruption of services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the OpenAPI credential management endpoints are accessible to authenticated low-privilege users without proper authorization.

Specifically, test access to the following endpoints: /openapi/auth/* and /openapi/permission/* to see if you can list, add, edit, or delete OpenAPI credentials without administrative privileges.

You can use HTTP request commands such as curl to test these endpoints with a low-privilege authenticated user token.

• curl -H "Authorization: Bearer <low-privilege-token>" https://<target>/openapi/auth/list
• curl -X POST -H "Authorization: Bearer <low-privilege-token>" -d '{"ak":"test","sk":"test"}' https://<target>/openapi/auth/add
• curl -X DELETE -H "Authorization: Bearer <low-privilege-token>" https://<target>/openapi/auth/delete/<credential_id>

If these commands succeed without proper authorization errors, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the OpenAPI credential management endpoints by enforcing proper authorization checks.

Specifically, ensure that the OpenApiAuthController and OpenApiPermissionController endpoints have Shiro authorization annotations or equivalent access control mechanisms to prevent low-privilege users from performing create, read, update, and delete operations on credentials.

Additionally, review and restrict access to the /openapi/call/{path} endpoint to require full authentication and proper validation of both Access Key (AK) and Secret Key (SK) signatures.

If possible, upgrade to a fixed version of JeecgBoot where this vulnerability is patched.

As a temporary measure, monitor and audit API calls to detect unauthorized access or manipulation of credentials.

Useful 0 Not Useful 0