CVE-2026-7602 Overview
CVE-2026-7602 is an improper authorization vulnerability [CWE-266] in JeecgBoot up to version 3.9.1. The flaw resides in the FillRuleUtil component, specifically in the /sys/fillRule/edit endpoint. An attacker can manipulate the ruleClass argument to bypass authorization controls. The attack is exploitable remotely and requires only low-privilege authentication. The exploit has been disclosed publicly, increasing the likelihood of opportunistic attempts against exposed instances.
Critical Impact
Authenticated remote attackers can abuse the ruleClass parameter in /sys/fillRule/edit to perform actions outside their intended privilege level, affecting confidentiality, integrity, and availability of the JeecgBoot application.
Affected Products
- JeecgBoot versions up to and including 3.9.1
- FillRuleUtil component (/sys/fillRule/edit)
- Deployments of the JeecgBoot low-code platform exposing the affected endpoint
Discovery Timeline
- 2026-05-02 - CVE-2026-7602 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7602
Vulnerability Analysis
The vulnerability is an improper authorization issue [CWE-266] in JeecgBoot, an open-source low-code development platform. The affected functionality is reached through the /sys/fillRule/edit HTTP endpoint, which is part of the FillRuleUtil component used to manage data fill rules.
The endpoint accepts a ruleClass argument that designates the Java class to be loaded or referenced when persisting a fill rule. The application fails to enforce sufficient authorization checks on this parameter. As a result, an authenticated user with low privileges can supply or modify the ruleClass value to influence rule definitions that should be reserved for higher-privileged roles.
Because FillRuleUtil is invoked during code-generation and form-handling workflows, manipulated rules can be triggered by other users of the platform, expanding the impact beyond the original session.
Root Cause
The root cause is the absence of a granular authorization check on the ruleClass parameter at the /sys/fillRule/edit handler. The application validates that a session is authenticated but does not verify whether the caller is permitted to define or alter rule classes. This violates the principle of least privilege and matches the CWE-266 pattern of incorrect privilege assignment.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker authenticates to a JeecgBoot instance, then issues a crafted HTTP request to /sys/fillRule/edit with a manipulated ruleClass value. The server processes the request without enforcing the necessary role check, allowing the attacker to alter fill rule configurations. Public exploitation details are referenced in the GitHub JeecgBoot Issue #9552 and VulDB #360559 entries.
No verified proof-of-concept code is reproduced here. Refer to the upstream issue tracker for technical specifics.
Detection Methods for CVE-2026-7602
Indicators of Compromise
- HTTP POST or GET requests to /sys/fillRule/edit originating from accounts that should not have administrative responsibilities.
- Unexpected values in the ruleClass parameter referencing classes outside the standard JeecgBoot fill-rule package.
- New or modified entries in the sys_fill_rule database table created by low-privileged user IDs.
Detection Strategies
- Inspect application access logs for requests to /sys/fillRule/edit and correlate the requesting principal against the role assigned in sys_user_role.
- Apply web application firewall rules that flag unusual ruleClass values, especially fully qualified class names not present in a known allowlist.
- Track changes to fill-rule definitions and alert when modifications occur outside change-control windows.
Monitoring Recommendations
- Enable verbose audit logging on JeecgBoot's org.jeecg.modules.system.controller packages and forward events to a centralized log platform.
- Baseline normal usage of /sys/fillRule/edit per role and alert on deviations.
- Continuously monitor JeecgBoot release notes and the upstream GitHub repository for the patch announcement referenced by the vendor.
How to Mitigate CVE-2026-7602
Immediate Actions Required
- Restrict network access to the JeecgBoot management interface to trusted administrative networks until a patched release is installed.
- Audit existing user accounts and revoke unnecessary privileges, particularly access to fill-rule configuration features.
- Review the sys_fill_rule table for unauthorized entries and remove or revert rule classes that do not match expected values.
Patch Information
The vendor confirmed the issue and stated that a fix will be included in an upcoming JeecgBoot release. Track the JeecgBoot GitHub repository and the vendor response on Issue #9552 for the patched version. Upgrade to a release later than 3.9.1 once available.
Workarounds
- Place a reverse proxy or WAF rule in front of JeecgBoot to deny requests to /sys/fillRule/edit from non-administrative source IP ranges.
- Implement a server-side allowlist of acceptable ruleClass values by extending the controller logic, if local code changes are feasible.
- Disable or restrict access to the code-generation and fill-rule modules for low-privileged roles via the role-permission matrix.
# Example NGINX rule restricting /sys/fillRule/edit to an admin subnet
location = /sys/fillRule/edit {
allow 10.0.10.0/24; # admin network
deny all;
proxy_pass http://jeecgboot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
