CVE-2026-9580 Overview
CVE-2026-9580 is an improper access control vulnerability in JeecgBoot versions up to 3.9.1. The flaw resides in the LoginController.selectDepart function exposed through the /sys/selectDepart endpoint. Remote attackers can manipulate the affected function to bypass intended access restrictions without requiring authentication or user interaction. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed instances. JeecgBoot is a widely deployed low-code development platform used to build enterprise applications, making exposed installations attractive targets for reconnaissance and lateral access. Upgrading to version 3.9.2 resolves the issue. This vulnerability is tracked under [CWE-266: Incorrect Privilege Assignment].
Critical Impact
Remote unauthenticated attackers can exploit improper access controls in the /sys/selectDepart endpoint to bypass authorization checks on JeecgBoot instances up to version 3.9.1.
Affected Products
- JeecgBoot versions up to and including 3.9.1
- JeecgBoot LoginController.selectDepart function
- JeecgBoot /sys/selectDepart endpoint
Discovery Timeline
- 2026-05-26 - CVE-2026-9580 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-9580
Vulnerability Analysis
The vulnerability stems from missing or insufficient access control logic in the LoginController.selectDepart method. The /sys/selectDepart endpoint handles department selection during the login workflow in JeecgBoot. Because the function fails to properly verify the caller's privileges before returning or acting on requested data, an attacker can invoke it remotely without proper authorization. The attack vector is the network, the attack complexity is low, and no privileges or user interaction are required. The EPSS score is 0.045%, with a percentile of 14.27, indicating low observed exploitation activity at this time despite public disclosure of exploit details.
Root Cause
The root cause is improper access controls within the department selection logic of LoginController. The endpoint trusts client-supplied input without enforcing server-side authorization checks that confirm the requester is entitled to interact with the targeted department or session context. This pattern aligns with [CWE-266], where privilege assignment does not match the intended trust boundary.
Attack Vector
An attacker sends a crafted HTTP request to /sys/selectDepart on an exposed JeecgBoot instance. Because the endpoint does not require valid authentication tokens or correctly scoped session context, the attacker can trigger the selectDepart flow and influence department selection behavior. The vulnerability impacts confidentiality, integrity, and availability at low levels, consistent with limited but meaningful access bypass. Public disclosure of the exploit increases the risk of automated scanning and abuse.
No verified proof-of-concept code is available in the enriched data. Refer to the GitHub Issue #9597 and VulDB Vulnerability #365636 for additional technical context.
Detection Methods for CVE-2026-9580
Indicators of Compromise
- Unauthenticated HTTP requests to /sys/selectDepart originating from external or unexpected IP addresses.
- Anomalous department selection events in JeecgBoot application logs without preceding successful authentication.
- Repeated probing of /sys/ endpoints consistent with automated vulnerability scanning.
Detection Strategies
- Inspect web server and application logs for requests to /sys/selectDepart lacking valid session cookies or JWT tokens.
- Deploy web application firewall (WAF) rules that flag access to /sys/selectDepart from unauthenticated sessions.
- Correlate access to the affected endpoint with subsequent privileged actions to identify potential exploitation chains.
Monitoring Recommendations
- Enable verbose logging on the LoginController class and forward logs to a centralized SIEM for correlation.
- Alert on spikes in traffic to /sys/ endpoints, especially when sourced from geographies outside normal user populations.
- Monitor outbound traffic from JeecgBoot servers for signs of post-exploitation reconnaissance or data exfiltration.
How to Mitigate CVE-2026-9580
Immediate Actions Required
- Upgrade JeecgBoot to version 3.9.2 or later, which contains the official fix for this vulnerability.
- Restrict network exposure of JeecgBoot administrative and /sys/ endpoints to trusted internal networks only.
- Audit recent access logs for unauthenticated requests to /sys/selectDepart and investigate any anomalies.
Patch Information
The JeecgBoot maintainers released version 3.9.2 to remediate this issue. The patched release is available at GitHub Release Version 3.9.2. Administrators should review the GitHub Comment on Issue #9597 for maintainer guidance and validate that production deployments reference the fixed version.
Workarounds
- Place JeecgBoot behind an authenticated reverse proxy that enforces session validation before requests reach the application.
- Use WAF rules to block unauthenticated access to /sys/selectDepart until the upgrade is applied.
- Disable or firewall the /sys/selectDepart endpoint at the network edge for instances that cannot be immediately patched.
# Example nginx configuration to require authentication for /sys/selectDepart
location = /sys/selectDepart {
if ($http_authorization = "") {
return 401;
}
proxy_pass http://jeecgboot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
