CVE-2026-9604 JeecgBoot CVE debrief

Who should care

Organizations running JeecgBoot versions prior to 3.9.1 for AI model management workflows, particularly those exposing AiragModelController endpoints to low-privilege users or external networks.

Technical summary

The AiragModelController component in JeecgBoot fails to properly enforce access controls on the list/queryById argument, allowing authenticated attackers with low privileges to potentially access unauthorized resources. The vulnerability is classified as improper access control (CWE-284) with elements of incorrect privilege assignment (CWE-266). Network-based exploitation is possible without user interaction. The CVSS 4.0 score of 2.1 reflects limited confidentiality impact with no integrity or availability impact. Public proof-of-concept exploit availability increases practical risk despite low severity scoring.

Defensive priority

routine

Recommended defensive actions

• Upgrade JeecgBoot to version 3.9.2 or later
• Review access controls on AiragModelController endpoints, particularly list/queryById functionality
• Monitor for unauthorized access attempts to AI model management interfaces
• Apply principle of least privilege to service accounts accessing the affected component

Evidence notes

CVE published 2026-05-26. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges but no user interaction. CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control) identified. Exploit existence marked as 'P' (Proof-of-concept) in CVSS vector.

Official resources