{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5616", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-05T15:40:39.007Z", "datePublished": "2026-04-06T03:15:14.731Z", "dateUpdated": "2026-04-07T03:00:24.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T03:15:14.731Z"}, "title": "JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "n/a", "product": "JeecgBoot", "versions": [{"version": "3.9.0", "status": "affected"}, {"version": "3.9.1", "status": "affected"}], "modules": ["AI Chat Module"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-05T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-05T17:45:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355407", "name": "VDB-355407 | JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355407/cti", "name": "VDB-355407 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785570", "name": "Submit #785570 | JeecgBoot 3.9.0, 3.9.1 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9464", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/pull/9463", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/commit/b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39", "tags": ["patch"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T03:00:14.024750Z", "id": "CVE-2026-5616", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:00:24.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T03:00:14.024750Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:00:20.422Z"}}], "cna": {"tags": ["x_open-source"], "title": "JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["AI Chat Module"], "product": "JeecgBoot", "versions": [{"status": "affected", "version": "3.9.0"}, {"status": "affected", "version": "3.9.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-05T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-05T17:45:49.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355407", "name": "VDB-355407 | JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355407/cti", "name": "VDB-355407 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785570", "name": "Submit #785570 | JeecgBoot 3.9.0, 3.9.1 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9464", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/pull/9463", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/commit/b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39", "tags": ["patch"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T03:15:14.731Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5616", "state": "PUBLISHED", "dateUpdated": "2026-04-07T03:00:24.200Z", "dateReserved": "2026-04-05T15:40:39.007Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-06T03:15:14.731Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release."}], "id": "CVE-2026-5616", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-06T04:16:13.407", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/commit/b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/issues/9464"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/pull/9463"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785570"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355407"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355407/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.9.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.9.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 88.0, "source": "matching"}]}, "original": {"product": "JeecgBoot", "source": "cna", "vendor": "n/a"}, "product": "jeecgboot", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-06T06:20:42.025844+00:00", "value": {"mitigation_remediation": ["Apply the official patch that includes the commit b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39 (or upgrade to a version containing the fix).", "Verify that the AI Chat module now enforces authentication before allowing any requests."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass (Unauthorized Access)"}, "threat_synthesis": {"affected_systems": "The issue affects the JeecgBoot framework, specifically the AI Chat component under org.jeecg.modules.airag. Versions 3.9.0 and 3.9.1 are vulnerable. Deployments that have not yet incorporated the corrective commit are at risk.", "description_and_impact": "JeecgBoot 3.9.0 and 3.9.1 contain a function in JeecgBizToolsProvider.java that lacks proper authentication checks, allowing a remote request to execute the AI Chat module without identity verification. This flaw permits an attacker to invoke the module\u2019s exposed functionality unimpeded, potentially accessing or manipulating data and leveraging the AI service for malicious purposes. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).", "risk_and_exploitability": "With a CVSS score of 6.9, the vulnerability presents moderate severity. Although EPSS is not available, the remote nature of the attack vector suggests a plausible exploitation scenario. The vulnerability is not listed in the CISA KEV catalog, but without authentication controls, malicious actors could exploit the exposed API from anywhere on the network or the Internet if network exposure exists. Prompt remediation is advised to mitigate the risk of unauthorized data access or manipulation."}}}}, "created": "2026-04-06T20:15:13.490765+00:00", "updated": "2026-04-06T21:47:30.449383+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jeecgboot"]}