CVE-2026-58377 Overview
CVE-2026-58377 is a broken access control vulnerability in JeecgBoot through version 3.9.2. The OpenApiAuthController and OpenApiPermissionController endpoints lack Shiro authorization annotations. Any authenticated low-privilege user can perform full create, read, update, and delete operations on OpenAPI credentials. The list endpoint returns AccessKey and SecretKey (AK/SK) pairs in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface. The issue is classified under [CWE-862] Missing Authorization.
Critical Impact
Low-privilege authenticated users can extract plaintext OpenAPI secret keys and manipulate credential records, leading to full compromise of the OpenAPI attack surface.
Affected Products
- JeecgBoot versions through 3.9.2
- OpenApiAuthController endpoint
- OpenApiPermissionController endpoint
Discovery Timeline
- 2026-06-30 - CVE-2026-58377 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58377
Vulnerability Analysis
JeecgBoot exposes OpenAPI credential management through the OpenApiAuthController and OpenApiPermissionController controllers. These controllers implement create, read, update, and delete operations for AK/SK credential pairs used to authenticate external API consumers. The controllers are missing Apache Shiro authorization annotations that would normally restrict access to administrative users. As a result, the application enforces authentication but not authorization on these endpoints.
Any user with a valid session, including the lowest-privilege accounts, can invoke the credential management functions. The listing operation returns records containing the secret key in plaintext rather than a masked or hashed representation. Attackers can enumerate all issued credentials, harvest the secrets, and then use them to call downstream OpenAPI endpoints under the identity of privileged integrations.
Root Cause
The root cause is missing role or permission checks on controller methods that manage sensitive credential data. Shiro annotations such as @RequiresRoles or @RequiresPermissions are absent from the affected handlers. The application also fails to redact secret values when serializing credential records to API responses.
Attack Vector
Exploitation requires network access to the JeecgBoot application and a low-privilege authenticated session. The attacker sends HTTP requests to the exposed credential management routes on OpenApiAuthController and OpenApiPermissionController. The list route returns plaintext AK/SK pairs in its JSON response. The attacker can then use the stolen credentials to invoke OpenAPI endpoints, or issue update and delete requests to replace legitimate credentials with attacker-controlled values. See the VulnCheck Security Advisory and the GitHub Issue Discussion for endpoint specifics.
Detection Methods for CVE-2026-58377
Indicators of Compromise
- Requests from low-privilege user sessions targeting URIs associated with OpenApiAuthController or OpenApiPermissionController.
- HTTP responses from credential list endpoints containing plaintext accessKey and secretKey fields.
- Unexpected create, update, or delete operations against the OpenAPI credential table in the JeecgBoot database.
- OpenAPI invocations from unfamiliar source IP addresses using recently listed AK/SK pairs.
Detection Strategies
- Correlate application access logs with user role data to identify non-administrative accounts hitting credential management endpoints.
- Alert on any HTTP 200 response from the credential list endpoint that is not initiated by a known administrator session.
- Baseline normal OpenAPI credential churn and flag bursts of credential mutations within short time windows.
Monitoring Recommendations
- Forward JeecgBoot application logs, Shiro audit events, and reverse proxy access logs to a centralized analytics platform such as Singularity Data Lake for retention and correlation.
- Monitor egress from the JeecgBoot host for OpenAPI calls that reuse credentials shortly after they appear in a list response.
- Track database writes to the OpenAPI credential table and alert on modifications made outside of change windows.
How to Mitigate CVE-2026-58377
Immediate Actions Required
- Rotate all existing OpenAPI AK/SK credential pairs issued by affected JeecgBoot instances.
- Restrict network reachability to the /openApi administrative routes using a reverse proxy or WAF rule until a patch is applied.
- Audit application logs for prior access to the credential management endpoints by non-administrative accounts.
- Review OpenAPI usage logs for calls made with credentials that may have been exposed.
Patch Information
At the time of publication, the vendor tracking issue is available at the JeecgBoot GitHub Issue Discussion. Administrators should upgrade to a JeecgBoot release later than 3.9.2 that adds Shiro authorization annotations to OpenApiAuthController and OpenApiPermissionController, and that removes plaintext secrets from list responses. Consult the VulnCheck Security Advisory for the latest fix status.
Workarounds
- Apply a custom Shiro filter that requires an administrative role on all URIs served by the OpenAPI credential controllers.
- Block requests to the affected controller paths at the ingress layer for all users except a defined administrator allowlist.
- Modify credential list responses to mask or omit the secretKey field until the upstream fix is available.
# Example NGINX ingress rule restricting OpenAPI credential endpoints by source IP
location ~* ^/jeecg-boot/sys/openApi(Auth|Permission)/ {
allow 10.0.0.0/24; # admin management subnet
deny all;
proxy_pass http://jeecgboot_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

