CVE-2026-10241: JeecgBoot SSRF Vulnerability in FileDownload

CVE-2026-10241 Overview

CVE-2026-10241 is a server-side request forgery (SSRF) vulnerability in JeecgBoot, an open-source low-code development platform. The flaw affects versions up to and including 3.9.1. It resides in the FileDownloadUtils.download2DiskFromNet function reachable through the /airag/app/debug endpoint, which interacts with the Cloud Instance Metadata Endpoint component. An authenticated remote attacker can manipulate URL input to coerce the server into issuing arbitrary outbound requests. A public exploit has been released, increasing the likelihood of opportunistic abuse. The issue is tracked under [CWE-918] and is fixed in JeecgBoot version 3.9.2.

Critical Impact
Attackers can abuse the vulnerable download function to probe internal services and reach cloud metadata endpoints, potentially exposing instance credentials and internal infrastructure.

Affected Products

JeecgBoot versions up to and including 3.9.1
Component: FileDownloadUtils.download2DiskFromNet
Endpoint: /airag/app/debug (Cloud Instance Metadata Endpoint handling)

Discovery Timeline

2026-06-01 - CVE-2026-10241 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10241

Vulnerability Analysis

The vulnerability is a Server-Side Request Forgery flaw [CWE-918] in JeecgBoot's file download utility. The FileDownloadUtils.download2DiskFromNet method accepts a URL parameter and fetches the remote resource server-side. The /airag/app/debug endpoint exposes this functionality without sufficient validation of the destination host. An attacker with low-privilege access can supply URLs pointing to internal IP ranges or cloud metadata services such as http://169.254.169.254/. The server then issues the request on the attacker's behalf and may return the response body. This bypasses network segmentation and can disclose internal service banners, configuration data, and cloud instance credentials.

Root Cause

The root cause is missing URL validation and allowlisting in FileDownloadUtils.download2DiskFromNet. The function trusts the caller-supplied URL and does not restrict schemes, hostnames, or IP ranges. There is no filter blocking link-local, loopback, or private network destinations before the HTTP client issues the request.

Attack Vector

Exploitation requires network access to the JeecgBoot instance and low-privilege authentication. The attacker sends a crafted HTTP request to /airag/app/debug with a URL parameter pointing to an internal resource. Typical targets include cloud metadata endpoints, internal admin panels, and unauthenticated localhost services. A public exploit is available, lowering the barrier to abuse.

No verified proof-of-concept code is published here. See the GitHub Issue #9611 and VulDB CVE-2026-10241 for technical references.

Detection Methods for CVE-2026-10241

Indicators of Compromise

Inbound HTTP requests to /airag/app/debug carrying URL parameters that reference internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses, or 169.254.169.254.
Outbound connections from the JeecgBoot application server to cloud metadata services that do not match normal application behavior.
Application logs showing FileDownloadUtils.download2DiskFromNet invocations with non-standard URL targets.

Detection Strategies

Deploy web application firewall rules that inspect URL parameters on /airag/app/debug and block requests targeting private, link-local, or metadata IP ranges.
Correlate authenticated session activity with unexpected outbound HTTP requests originating from the JeecgBoot host.
Hunt for log entries where the URL parameter scheme is not http/https or uses encoded representations of internal addresses.

Monitoring Recommendations

Forward JeecgBoot application logs and host-level network telemetry to a centralized analytics platform for correlation.
Alert on any process on the JeecgBoot server resolving or connecting to 169.254.169.254 or other cloud metadata endpoints.
Track baseline outbound connection patterns and alert on deviations after authentication events.

How to Mitigate CVE-2026-10241

Immediate Actions Required

Upgrade JeecgBoot to version 3.9.2 or later, which contains the official fix.
Restrict network egress from the JeecgBoot application server so it cannot reach cloud metadata endpoints or internal management interfaces.
Review access controls on /airag/app/debug and remove access for accounts that do not require it.

Patch Information

The vendor released the fix in GitHub Release v3.9.2. Refer to GitHub Issue #9611 for upstream discussion and remediation context. Administrators should validate the upgrade in a staging environment before production rollout.

Workarounds

Place the JeecgBoot instance behind a reverse proxy that strips or validates URL parameters destined for /airag/app/debug.
Enforce Instance Metadata Service v2 (IMDSv2) on AWS or equivalent session-based metadata protections on other clouds to reduce credential exposure if SSRF is achieved.
Apply outbound firewall policies denying connections from the application host to 169.254.169.254, loopback, and RFC1918 ranges unless explicitly required.

bash

# Example egress restriction using iptables to block AWS metadata access
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP