CVE-2026-9579 JeecgBoot CVE debrief

Who should care

Organizations running JeecgBoot versions 3.9.1 or earlier with authenticated user access to the SysUser management functionality should prioritize upgrading to version 3.9.2.

Technical summary

The vulnerability exists in the user.getUsername function within the SysUser component of JeecgBoot, specifically at the /sys/user/login/setting/userEdit endpoint. An authenticated attacker can remotely manipulate the userIdentity argument to bypass intended access controls. The attack complexity is low, requires no user interaction, and can be executed over the network. The vulnerability results in limited impacts to confidentiality, integrity, and availability. The exploit has been made public, increasing the risk of attempted exploitation.

Defensive priority

routine

Recommended defensive actions

• Upgrade JeecgBoot to version 3.9.2 or later
• Review access controls on /sys/user/login/setting/userEdit endpoint
• Audit user privilege assignments for improper configurations
• Monitor for anomalous requests to SysUser component endpoints

Evidence notes

Vulnerability affects JeecgBoot ≤3.9.1 via userIdentity parameter manipulation in SysUser component. CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control) identified. Public exploit availability confirmed. Fix released in v3.9.2.

Official resources