Home

Description

A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-26 | Updated 2026-05-27 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Improper Access Controls

Incorrect Privilege Assignment

Timeline

2026-05-26:Advisory disclosed
2026-05-26:VulDB entry created
2026-05-26:VulDB entry last update

Credits

AliceS614 (VulDB User) reporter

References

github.com/jeecgboot/JeecgBoot/issues/9596 exploit

vuldb.com/vuln/365635 (VDB-365635 | JeecgBoot SysUser userEdit user.getUsername access control) vdb-entry technical-description

vuldb.com/vuln/365635/cti (VDB-365635 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/817891 (Submit #817891 | JeecgBoot 3.9.1 Improper Access Controls) third-party-advisory

github.com/jeecgboot/JeecgBoot/issues/9596 exploit issue-tracking

github.com/jeecgboot/JeecgBoot/issues/9596 issue-tracking

github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2 patch

github.com/jeecgboot/JeecgBoot/ product

cve.org (CVE-2026-9579)

nvd.nist.gov (CVE-2026-9579)

Download JSON