CVE-2026-10240 Overview
CVE-2026-10240 is a Server-Side Request Forgery (SSRF) vulnerability affecting JeecgBoot versions up to 3.9.2. The flaw resides in an unspecified function within the /airag/airagModel/test endpoint. Attackers can manipulate the baseUrl parameter to coerce the server into issuing arbitrary outbound HTTP requests. Exploitation requires network access and low-level authenticated privileges, and a public exploit exists. The vendor has indicated that a fix is planned for an upcoming release.
Critical Impact
Authenticated attackers can leverage the JeecgBoot server to probe internal networks, access cloud metadata services, or reach otherwise unreachable internal endpoints by abusing the baseUrl parameter.
Affected Products
- JeecgBoot versions up to and including 3.9.2
- Deployments exposing the /airag/airagModel/test endpoint
- Installations integrating the AI RAG model testing functionality
Discovery Timeline
- 2026-06-01 - CVE-2026-10240 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in the NVD database
Technical Details for CVE-2026-10240
Vulnerability Analysis
The vulnerability is classified as Server-Side Request Forgery [CWE-918]. JeecgBoot exposes the /airag/airagModel/test endpoint to allow administrators to validate AI Retrieval-Augmented Generation (RAG) model connectivity. The endpoint accepts a baseUrl parameter that defines the target service for the connection test. The application fails to validate or restrict the values supplied to this parameter. As a result, an authenticated user can substitute the intended model endpoint with arbitrary internal or external URLs. The server then issues HTTP requests to attacker-controlled destinations using its own network position and identity.
Root Cause
The root cause is missing allow-list validation on the baseUrl argument before the backend constructs and dispatches an outbound HTTP request. The handler trusts user input as a legitimate model service location. No host validation, scheme filtering, or network segmentation control exists to prevent requests to internal addresses such as 127.0.0.1, RFC1918 ranges, or cloud metadata endpoints like 169.254.169.254.
Attack Vector
An authenticated attacker submits a crafted request to /airag/airagModel/test with the baseUrl parameter pointing to an internal resource. The JeecgBoot server processes the test request and connects to the attacker-supplied URL. The attacker can enumerate internal services, retrieve cloud instance credentials, or relay requests through the application server. The attack is remotely exploitable over the network and requires no user interaction. See the GitHub Issue #9609 and VulDB CVE-2026-10240 entries for additional technical context.
Detection Methods for CVE-2026-10240
Indicators of Compromise
- HTTP POST requests to /airag/airagModel/test containing baseUrl values referencing internal IP ranges, localhost, or cloud metadata addresses
- Unexpected outbound connections originating from the JeecgBoot application server to internal hosts or non-AI service endpoints
- Application logs showing failed or anomalous AI model test invocations from low-privilege accounts
Detection Strategies
- Inspect web access logs for requests to /airag/airagModel/test and flag any baseUrl parameter not matching the approved list of AI service hostnames
- Correlate application requests with outbound network telemetry to detect server-initiated traffic toward 169.254.169.254, 127.0.0.0/8, or RFC1918 addresses
- Alert on repeated test invocations from a single authenticated session, which may indicate internal network reconnaissance
Monitoring Recommendations
- Monitor JeecgBoot application logs for high-frequency calls to the AI RAG test endpoint paired with varying baseUrl values
- Track egress traffic from the application host and route it through an egress proxy that enforces destination allow-listing
- Enable audit logging for low-privilege user sessions that interact with administrative or model-testing endpoints
How to Mitigate CVE-2026-10240
Immediate Actions Required
- Restrict network access to /airag/airagModel/test to trusted administrative IP ranges using a reverse proxy or WAF rule
- Block outbound connections from the JeecgBoot server to internal subnets and cloud metadata endpoints at the firewall layer
- Review JeecgBoot user accounts and reduce privileges where AI RAG model testing is not required
Patch Information
The JeecgBoot maintainers have indicated that a fix is planned for an upcoming release. No patched version is available at the time of publication. Monitor the JeecgBoot GitHub repository and GitHub Issue #9609 for the official patch announcement.
Workarounds
- Disable the AI RAG model testing feature if it is not in active use within your deployment
- Deploy a forward proxy for application egress and enforce an allow-list of permitted AI model service hostnames
- Apply a WAF rule that rejects requests where the baseUrl parameter contains private IP ranges, localhost, or non-HTTPS schemes
# Example NGINX rule to block SSRF-prone baseUrl values at the reverse proxy
location /airag/airagModel/test {
if ($arg_baseUrl ~* "(127\.|10\.|192\.168\.|169\.254\.|localhost|file://|gopher://)") {
return 403;
}
proxy_pass http://jeecgboot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
