CVE-2026-9373 Overview
CVE-2026-9373 is an improper authentication vulnerability in JeecgBoot 3.9.1. The flaw affects unknown processing logic within the /openapi/call/ endpoint of the OpenAPI component. Attackers can manipulate authentication handling remotely without prior credentials. The weakness maps to [CWE-287] Improper Authentication.
Exploitation is rated as high complexity and difficult to execute reliably. The vendor was contacted before public disclosure but did not respond. No patch is currently linked to this advisory in NVD.
Critical Impact
Remote attackers can bypass authentication controls on the JeecgBoot OpenAPI endpoint, potentially exposing low-integrity application data without valid credentials.
Affected Products
- JeecgBoot 3.9.1
- JeecgBoot OpenAPI component (/openapi/call/ endpoint)
- Deployments exposing the OpenAPI endpoint to untrusted networks
Discovery Timeline
- 2026-05-24 - CVE-2026-9373 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9373
Vulnerability Analysis
The vulnerability resides in the OpenAPI Endpoint handler at /openapi/call/ within JeecgBoot 3.9.1. The endpoint performs authentication checks that can be circumvented through specific request manipulations. Successful exploitation results in limited integrity impact against the application, with no confirmed confidentiality or availability consequences.
The attack proceeds over the network and requires neither user interaction nor pre-existing privileges. However, the exploit chain demands non-trivial conditions, which raises attack complexity and limits opportunistic abuse. The EPSS data reports a low probability of exploitation in the near term.
Root Cause
The root cause is improper authentication logic [CWE-287] in the OpenAPI call dispatcher. The endpoint accepts requests that should require valid authentication, but the verification routine does not reliably enforce identity validation. The exact code path has not been disclosed in public references.
Attack Vector
An unauthenticated remote attacker sends crafted HTTP requests to the /openapi/call/ endpoint. The request must satisfy conditions that make exploitation difficult, but on success it bypasses the authentication layer. Because no public proof-of-concept is documented, defenders should treat reachability of the endpoint as the primary risk factor.
No verified exploitation code is publicly available for this CVE. Refer to VulDB Vulnerability #365337 for additional technical context as it becomes available.
Detection Methods for CVE-2026-9373
Indicators of Compromise
- Unauthenticated HTTP requests to /openapi/call/ returning successful (2xx) responses
- Repeated requests to the OpenAPI endpoint from a single source with varying parameters or signatures
- Application log entries showing successful OpenAPI invocations without a preceding authentication event
Detection Strategies
- Inspect web access logs for requests to /openapi/call/ that lack valid session tokens or API signatures
- Correlate OpenAPI calls against authentication audit logs to identify mismatches between authenticated sessions and invoked operations
- Deploy WAF or reverse proxy rules that log and flag anomalous parameter patterns against the OpenAPI endpoint
Monitoring Recommendations
- Alert on spikes in /openapi/call/ traffic volume or error rates compared to baseline
- Monitor for changes to data modified through OpenAPI calls, since integrity impact is the documented consequence
- Track source IPs that probe multiple OpenAPI sub-paths in short time windows
How to Mitigate CVE-2026-9373
Immediate Actions Required
- Restrict network exposure of the /openapi/call/ endpoint to trusted IP ranges or internal networks only
- Place JeecgBoot behind an authenticating reverse proxy that enforces token validation before requests reach the application
- Audit existing OpenAPI integrations and rotate any API keys or signing secrets used by legitimate clients
Patch Information
No vendor patch is referenced in the NVD entry for CVE-2026-9373. The vendor was contacted prior to disclosure but did not respond. Track the VulDB advisory and the JeecgBoot project for an upstream fix and upgrade as soon as one is released.
Workarounds
- Disable the OpenAPI feature in JeecgBoot if it is not actively used by integrated systems
- Enforce mutual TLS or additional reverse-proxy authentication in front of /openapi/call/
- Apply strict allowlists at the network layer to limit which clients can reach the OpenAPI endpoint
# Example nginx configuration to restrict access to the OpenAPI endpoint
location /openapi/call/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
auth_request /_validate_token;
proxy_pass http://jeecgboot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
