PatchSiren cyber security CVE debrief
CVE-2026-10241 jeecgboot CVE debrief
A server-side request forgery (SSRF) vulnerability in JeecgBoot, affecting versions up to 3.9.1. The flaw exists in the `FileDownloadUtils.download2DiskFromNet` function via the `/airag/app/debug` endpoint, where improper handling of URLs allows remote attackers to manipulate requests to cloud instance metadata endpoints. The vulnerability was publicly disclosed on 2026-06-01 with a CVSS 4.0 score of 2.1 (Low severity). A public exploit is available, increasing immediate risk. Upgrading to version 3.9.2 resolves this issue.
- Vendor
- jeecgboot
- Product
- The server processes these URLs
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running JeecgBoot versions 3.9.1 or earlier, particularly those deployed in cloud environments (AWS, Azure, GCP, Alibaba Cloud) where instance metadata services are accessible. Development and security teams responsible for Java/Spring Boot applications using JeecgBoot framework. Cloud security teams monitoring for SSRF vectors that could lead to metadata service compromise.
Technical summary
The vulnerability is a server-side request forgery (CWE-918) in JeecgBoot's `FileDownloadUtils.download2DiskFromNet` function, accessible through the `/airag/app/debug` endpoint. The application accepts URLs without adequate validation, allowing attackers to supply URLs targeting cloud instance metadata endpoints (such as 169.254.169.254). This can lead to unauthorized access to cloud metadata services, potentially exposing credentials, tokens, or instance configuration data. The attack requires low privileges, no user interaction, and can be executed remotely over the network. The CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impacts under the assessed vector, though cloud metadata exposure can have outsized practical impact in cloud deployments.
Defensive priority
medium
Recommended defensive actions
- Upgrade JeecgBoot to version 3.9.2 or later to remediate this vulnerability.
- Restrict network access to the `/airag/app/debug` endpoint to authorized administrative sources only, as an interim control if immediate patching is not feasible.
- Implement SSRF protections including URL validation, denylisting of internal metadata endpoints (169.254.169.254, 169.254.170.2, etc.), and network segmentation to prevent cloud metadata access from application servers.
- Monitor for anomalous outbound requests from application servers to unexpected destinations, particularly cloud metadata IP ranges.
- Review application logs for requests to `/airag/app/debug` with unusual URL parameters that may indicate exploitation attempts.
Evidence notes
The vulnerability description identifies the affected component as JeecgBoot versions up to 3.9.1, with the specific function `FileDownloadUtils.download2DiskFromNet` in the `/airag/app/debug` path. The CWE-918 classification confirms SSRF. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and no user interaction. Vendor identification is marked low confidence with needsReview flag due to source domain inference from Vuldb rather than direct vendor confirmation.
Official resources
public