CVE-2026-7604 Overview
CVE-2026-7604 is a Server-Side Request Forgery (SSRF) vulnerability affecting JeecgBoot through version 3.9.1. The flaw resides in the OpenApiController.add and OpenApiController.call functions within OpenApiController.java, part of the OpenApi Service component. Attackers manipulate the originUrl parameter to coerce the server into issuing arbitrary outbound HTTP requests. The issue is classified under CWE-918 and has been publicly disclosed. The vendor confirmed the report and committed to a fix in an upcoming release.
Critical Impact
An authenticated remote attacker can abuse the OpenApi Service to perform server-side requests to internal hosts, enabling reconnaissance of internal infrastructure and potential interaction with otherwise non-routable services.
Affected Products
- JeecgBoot versions up to and including 3.9.1
- Component: OpenApiController.java (OpenApi Service)
- Functions: OpenApiController.add and OpenApiController.call
Discovery Timeline
- 2026-05-02 - CVE-2026-7604 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7604
Vulnerability Analysis
The vulnerability is a Server-Side Request Forgery in the JeecgBoot OpenApi Service. The add and call methods of OpenApiController accept an originUrl value sourced from the database without validating the destination host or scheme. When the controller processes this value, the application issues an HTTP request to the attacker-supplied URL from the server context. This allows the attacker to pivot through the server to reach internal services, cloud metadata endpoints, or other resources that are normally inaccessible from the public network. The attack requires network reachability to the OpenApi endpoint and low-privilege authenticated access. Public exploit information is referenced through VulDB Vulnerability #360561 and the upstream tracker at GitHub Issue #9554.
Root Cause
The root cause is missing validation on the originUrl field before the controller dispatches an outbound request. The application trusts data retrieved from the database, but that data is itself attacker-controllable through the add operation. Because the controller does not enforce an allowlist of permitted hosts or schemes, any URL the attacker stores becomes a target for the server-side fetch performed by call.
Attack Vector
An attacker with low-privilege API credentials submits a crafted originUrl to the OpenApiController.add endpoint. The value persists in the backing database. The attacker then invokes OpenApiController.call, which retrieves the stored URL and issues an HTTP request from the JeecgBoot server. Targets typically include 127.0.0.1, internal RFC1918 ranges, and cloud metadata services such as 169.254.169.254. See the GitHub Issue Comment for the public technical writeup.
// No verified proof-of-concept code is published in this advisory.
// Refer to the GitHub issue and VulDB references for technical details.
Detection Methods for CVE-2026-7604
Indicators of Compromise
- Outbound HTTP requests from the JeecgBoot application server to internal RFC1918 addresses, localhost, or cloud metadata endpoints such as 169.254.169.254.
- Unexpected entries in the OpenApi configuration database where originUrl points to non-business hosts.
- Repeated OpenApiController.call invocations in application logs originating from a single low-privilege account.
Detection Strategies
- Inspect application access logs for sequential calls to OpenApiController.add followed by OpenApiController.call from the same session.
- Correlate web server egress traffic with the JeecgBoot process to identify outbound connections destined for internal subnets.
- Review database tables backing the OpenApi Service for originUrl values that do not match approved upstream APIs.
Monitoring Recommendations
- Enable network egress logging on the host running JeecgBoot and alert on connections to private IP ranges or metadata services.
- Forward JeecgBoot application logs to a centralized SIEM and retain authenticated API activity for the OpenApi endpoints.
- Monitor for anomalous response sizes returned by OpenApiController.call, which may indicate retrieval of internal service content.
How to Mitigate CVE-2026-7604
Immediate Actions Required
- Restrict access to the JeecgBoot OpenApi Service to trusted networks until a vendor patch is available.
- Audit OpenApi configuration entries and remove any originUrl values that target internal or unexpected hosts.
- Rotate credentials for any low-privilege accounts that may have been used to abuse the endpoint.
Patch Information
The vendor has acknowledged the issue and committed to addressing it in an upcoming release. Track the official fix through the JeecgBoot GitHub Project Repository and GitHub Issue #9554. Upgrade to a version newer than 3.9.1 once a patched release is published.
Workarounds
- Place the JeecgBoot server behind an egress proxy that enforces an allowlist of permitted destination hosts.
- Block outbound traffic from the application server to RFC1918 ranges, 127.0.0.0/8, and 169.254.169.254 at the network layer.
- Apply a reverse proxy or WAF rule that rejects requests to OpenApiController.add and OpenApiController.call containing URLs to internal addresses.
- Restrict OpenApi role permissions so only vetted administrators can register new originUrl values.
# Example iptables rule blocking egress from the JeecgBoot host to cloud metadata
iptables -A OUTPUT -m owner --uid-owner jeecg -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner jeecg -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner jeecg -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner jeecg -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
