Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11502

CVE-2026-11502: JeecgBoot Open Redirect Vulnerability

CVE-2026-11502 is an open redirect flaw in JeecgBoot's third-party login function affecting versions up to 3.9.2. Attackers can manipulate the state parameter to redirect users to malicious sites.

Published:

CVE-2026-11502 Overview

CVE-2026-11502 is an open redirect vulnerability [CWE-601] affecting JeecgBoot versions up to 3.9.2. The flaw resides in the HttpServletResponse.sendRedirect call within jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java, part of the Third-Party Login component. An unauthenticated remote attacker can manipulate the state argument to redirect victims to an attacker-controlled destination. Exploitation requires user interaction and social engineering, which the project maintainers note reduces real-world exploitability. A public exploit has been disclosed.

Critical Impact

Successful exploitation enables phishing and credential theft by redirecting users from a trusted JeecgBoot OAuth login flow to an attacker-controlled URL.

Affected Products

  • JeecgBoot versions up to and including 3.9.2
  • Component: Third-Party Login (ThirdLoginController.java)
  • Integrations such as DingTalk and WeChat OAuth login flows

Discovery Timeline

  • 2026-06-08 - CVE-2026-11502 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11502

Vulnerability Analysis

The vulnerability is classified as a URL Redirection to Untrusted Site (Open Redirect) under [CWE-601]. JeecgBoot's ThirdLoginController handles OAuth callback flows for third-party identity providers including DingTalk and WeChat. During callback processing, the controller consumes the state parameter and passes it into HttpServletResponse.sendRedirect without validating the destination against an allow-list of trusted hosts.

Because the redirect originates from the legitimate JeecgBoot domain, the browser follows it without warning. Attackers leverage this trust to send victims to phishing pages that mimic post-login screens. The CWE classification places this in the open redirect category rather than a server-side compromise.

Root Cause

The root cause is missing validation of the state argument before invoking sendRedirect. The OAuth state parameter is intended to carry a CSRF-binding nonce, not a redirect target. By overloading state with a URL and passing it directly to the redirect API, the controller allows arbitrary external destinations. No host allow-list, relative-path enforcement, or signed-state verification is applied.

Attack Vector

An attacker crafts a third-party login URL that points to a vulnerable JeecgBoot deployment and embeds an attacker-controlled domain inside the state parameter. The attacker then uses social engineering, such as a phishing email or chat message, to induce the victim to click the link. After the OAuth flow completes, JeecgBoot calls sendRedirect with the attacker-supplied value, sending the authenticated user's browser to the malicious site. The destination can host credential harvesting forms, malware downloads, or further OAuth consent prompts. The maintainers note that the third-party login feature is optional and may not be enabled in many deployments.

No verified proof-of-concept code is published in the referenced advisories. See the GitHub Issue Tracker and VulDB CVE Detail for technical references.

Detection Methods for CVE-2026-11502

Indicators of Compromise

  • Outbound HTTP 302 responses from JeecgBoot containing Location headers pointing to external, non-allow-listed domains following requests to third-party login callback endpoints.
  • Inbound requests to ThirdLoginController endpoints with a state parameter containing URL-encoded external hostnames or http:///https:// prefixes.
  • Spikes in third-party login callback traffic from unfamiliar referrers or user agents associated with phishing campaigns.

Detection Strategies

  • Inspect web server and reverse proxy logs for sendRedirect responses whose Location value does not match the configured JeecgBoot host.
  • Deploy WAF rules that flag OAuth state parameters containing absolute URLs or encoded scheme delimiters such as %3A%2F%2F.
  • Correlate user click telemetry with redirect chains that exit the JeecgBoot domain immediately after third-party login.

Monitoring Recommendations

  • Forward JeecgBoot application logs and reverse-proxy access logs to a centralized SIEM for redirect-pattern analytics.
  • Alert on any callback to /jeecg-boot/sys/thirdLogin/* whose response redirects off-domain.
  • Track user reports of unexpected redirects after clicking internal links as a leading phishing indicator.

How to Mitigate CVE-2026-11502

Immediate Actions Required

  • Disable the Third-Party Login feature in JeecgBoot configuration if DingTalk, WeChat, or other OAuth providers are not in use.
  • Restrict access to ThirdLoginController endpoints via reverse-proxy ACLs until a patched build is deployed.
  • Educate users about phishing links that begin on legitimate internal domains but redirect externally.

Patch Information

At the time of NVD publication on 2026-06-08, no fixed version was identified in the advisory. Monitor the JeecgBoot GitHub Repository and the corresponding GitHub Issue Comment for vendor remediation guidance. Upgrade beyond version 3.9.2 once a patched release is published.

Workarounds

  • Implement a server-side allow-list of permitted redirect hosts and reject any state value containing an absolute URL.
  • Configure a WAF rule to strip or block state parameters that match URL patterns on third-party login callback routes.
  • Replace direct use of HttpServletResponse.sendRedirect with a wrapper that resolves only to relative paths under the application context.
bash
# Example WAF rule (ModSecurity) to block external URLs in the OAuth state parameter
SecRule REQUEST_URI "@beginsWith /jeecg-boot/sys/thirdLogin" \
  "chain,id:1026115021,phase:2,deny,status:400,msg:'CVE-2026-11502 open redirect attempt'"
  SecRule ARGS:state "@rx ^(https?:|//)" "t:urlDecodeUni,t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.