Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11464

CVE-2026-11464: JeecgBoot Information Disclosure Flaw

CVE-2026-11464 is an information disclosure vulnerability in JeecgBoot up to version 3.9.2 affecting the User List Endpoint. This article covers technical details, affected versions, exploitation risk, and mitigation.

Published:

CVE-2026-11464 Overview

CVE-2026-11464 is an information disclosure vulnerability in JeecgBoot versions up to 3.9.2. The flaw resides in the queryPageList function within src\main\java\org\jeecg\modules\system\controller\SysUserController.java, part of the User List Endpoint component. Manipulation of the salt argument exposes sensitive data to authenticated remote attackers. The weakness is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. A public exploit exists, though exploitation is considered difficult due to high attack complexity. A fix is planned for an upcoming release.

Critical Impact

Authenticated remote attackers can extract password salt values from the JeecgBoot user list endpoint, weakening downstream credential security and enabling offline password cracking against captured hashes.

Affected Products

  • JeecgBoot versions up to and including 3.9.2
  • Component: User List Endpoint (SysUserController.java)
  • Function: queryPageList

Discovery Timeline

  • 2026-06-07 - CVE-2026-11464 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11464

Vulnerability Analysis

The vulnerability exists in the queryPageList method of SysUserController.java in the JeecgBoot low-code platform. The endpoint returns user records that include the salt field used during password hashing. Authenticated attackers with low privileges can query this endpoint remotely and retrieve salt values that should remain server-side.

Exposing salt values undermines a core defense against rainbow table and offline brute-force attacks. If an attacker subsequently acquires password hashes through another vector, the disclosed salts accelerate credential cracking. The flaw maps to [CWE-200] and stems from inadequate field-level filtering in the API response serialization.

Root Cause

The root cause is improper filtering of sensitive fields when serializing SysUser objects in the paginated list response. The salt attribute is included in the JSON payload returned to the caller rather than stripped before transmission. Security-sensitive properties should be excluded from list endpoints by default through annotations such as @JsonIgnore or DTO-based response mapping.

Attack Vector

The attack requires network access and low-privilege authenticated credentials. An attacker queries the user list endpoint and parses the response to harvest salt values associated with each user account. The attack complexity is high because exploitation depends on possessing valid credentials and chaining the disclosed data with additional compromise to be operationally useful. The exploit is publicly available, increasing the likelihood of automated probing.

No verified exploit code is reproduced here. Refer to the GitHub Issue #9648 and VulDB CVE-2026-11464 entry for technical details.

Detection Methods for CVE-2026-11464

Indicators of Compromise

  • Repeated authenticated GET requests to JeecgBoot user list endpoints (/sys/user/list or equivalent paths invoking queryPageList).
  • Unusually large or paginated enumeration patterns from a single authenticated session targeting user records.
  • HTTP response bodies from the user list endpoint containing salt field values returned to non-administrative roles.

Detection Strategies

  • Inspect application logs for queries to SysUserController.queryPageList originating from low-privilege accounts.
  • Implement response body inspection at the API gateway to flag outbound payloads containing salt keys from /sys/user/* routes.
  • Correlate authentication events with subsequent bulk user enumeration to identify reconnaissance behavior.

Monitoring Recommendations

  • Enable verbose audit logging on the JeecgBoot SysUserController and forward logs to a centralized SIEM.
  • Alert on anomalous pagination parameters (pageSize set to large values) against the user list endpoint.
  • Track failed login attempts following user enumeration activity, which may indicate offline cracking success.

How to Mitigate CVE-2026-11464

Immediate Actions Required

  • Restrict access to the JeecgBoot user list endpoint to administrative roles only through application-level authorization controls.
  • Review and rotate user passwords if there is evidence the user list endpoint was queried by unauthorized accounts.
  • Deploy a web application firewall rule to block or alert on responses containing the salt field from user list APIs.

Patch Information

A fix is planned for an upcoming JeecgBoot release. Monitor the JeecgBoot GitHub repository and GitHub Issue #9648 for patch availability. Apply the official update as soon as it is released.

Workarounds

  • Modify SysUserController.queryPageList locally to strip salt, password, and other sensitive fields before returning the response.
  • Introduce a Data Transfer Object (DTO) for user list responses that excludes credential-related fields by design.
  • Limit the endpoint to administrator roles using Spring Security or JeecgBoot's role-based access control until the official patch is applied.
bash
# Configuration example: restrict user list endpoint via reverse proxy (nginx)
location /sys/user/list {
    # Allow only internal admin network
    allow 10.0.0.0/24;
    deny all;
    proxy_pass http://jeecgboot-backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.