CVE-2026-10240: JeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
JeecgBoot versions up to 3.9.2 contain a server-side request forgery (SSRF) vulnerability in the /airag/airagModel/test endpoint. An authenticated attacker can manipulate the baseUrl parameter to make the server perform unintended HTTP requests to internal or external systems. The vulnerability requires login credentials but does not require user interaction, and can be exploited over the network. A fix is planned for an upcoming release.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. A fix is planned for the upcoming release.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in JeecgBoot's AI RAG (Retrieval-Augmented Generation) model testing functionality. The /airag/airagModel/test endpoint fails to properly validate or sanitize the baseUrl argument before using it in server-side HTTP operations, enabling SSRF attacks. An authenticated attacker (PR:L) can inject arbitrary URLs to access internal services, cloud metadata endpoints, or external systems. The attack vector is network-based with low complexity and no user interaction required (UI:N). This is classified as CWE-918 (Server-Side Request Forgery).
Business impact
Successful exploitation allows attackers with valid credentials to bypass network segmentation and access internal services not directly exposed to the internet. This could lead to reconnaissance of internal infrastructure, exfiltration of data from internal APIs, access to cloud metadata services (potentially exposing credentials), or lateral movement within the network. The impact is limited to authenticated users, reducing but not eliminating organizational risk, particularly in environments with weak access controls or credential compromise.
Affected systems
JeecgBoot versions up to and including 3.9.2 are confirmed vulnerable. Organizations running earlier versions or current deployments of JeecgBoot in development, testing, or production environments should assess their exposure. Verify your installed version against the vendor's advisory for exact affected version ranges, as the advisory may specify different cutoff versions.
Exploitability
The exploit is publicly available, increasing the risk of widespread abuse. However, exploitability is moderated by the requirement for prior authentication—the attacker must possess valid login credentials. In environments with strong credential hygiene and access controls, the risk is lower; in environments with shared accounts, weak passwords, or recent credential breaches, the risk escalates significantly. The attack requires no special techniques or user interaction, making it straightforward to execute once access is obtained.
Remediation
Apply the patched version when released by the JeecgBoot project. Until a patch is available, implement network-level controls such as egress filtering to restrict the server's ability to reach internal or sensitive external systems. Review authentication logs and access controls to identify and remediate any unauthorized credential use. Consider disabling or restricting access to the /airag/airagModel/test endpoint if it is not actively used in your environment.
Patch guidance
Monitor the JeecgBoot project repository and vendor advisories for the next release containing the SSRF fix. The current notice states a fix is planned but does not specify a version number; coordinate with your JeecgBoot vendor or support team for timeline and availability. Once a patched version is released, test it in a non-production environment before deployment. Track the vulnerability status via the official vendor advisory to confirm the patch release date.
Detection guidance
Search logs for POST or GET requests to /airag/airagModel/test with suspicious baseUrl parameters pointing to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, 127.0.0.1, or cloud metadata endpoints (e.g., 169.254.169.254). Monitor outbound connections initiated from the JeecgBoot application server to unexpected internal services or external systems. Implement WAF rules or reverse proxy rules to block requests to this endpoint unless necessary, or to inspect baseUrl parameters for suspicious values. Enable detailed HTTP request logging if not already in place.
Why prioritize this
While the CVSS score is MEDIUM (6.3), the presence of a public exploit combined with an authentication requirement warrants elevated attention. Prioritize patching if your organization has: exposed JeecgBoot instances accessible to untrusted users, shared or weak credentials, or sensitive internal services that would be harmed by SSRF access. Organizations with strong network segmentation and robust access controls may deprioritize relative to critical vulnerabilities, but should not ignore this vulnerability indefinitely.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), and low privilege requirement (PR:L) balanced against limited confidentiality, integrity, and availability impact (C:L/I:L/A:L) scoped to the vulnerable component. The public availability of an exploit elevates practical risk beyond the base score. Organizations should assess their specific environment—credential exposure or network architecture could raise the effective risk.
Frequently asked questions
Do I need authentication to exploit this vulnerability?
Yes. The vulnerability requires prior authentication (PR:L in the CVSS vector), meaning the attacker must have valid JeecgBoot login credentials. However, once authenticated, no additional user interaction is needed to trigger the SSRF.
Can this vulnerability allow remote code execution?
This SSRF vulnerability enables attackers to make the server perform HTTP requests to internal or external systems. While SSRF alone does not directly execute arbitrary code, it can be chained with other vulnerabilities (e.g., accessing internal services with RCE) or used to extract sensitive data such as cloud credentials or internal configuration.
What should I do if a patch is not yet available?
Implement compensating controls: restrict network egress from the JeecgBoot server to only necessary services, restrict access to the vulnerable endpoint at the firewall or WAF level, audit authentication logs for unusual access patterns, and ensure your credential management practices are strong to reduce the risk of account compromise.
Is this vulnerability tracked in the CISA KEV catalog?
No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, though a public exploit exists. Monitor CISA's KEV updates and your vendor's advisories for any changes in status or additional guidance.
This analysis is based on publicly available vulnerability data and the vendor's advisory as of the publication date. Version numbers, patch timelines, and affected product ranges should be verified against the official JeecgBoot vendor advisory and release notes. Patch availability and timelines are subject to change. Organizations should conduct their own risk assessment based on their network architecture, access controls, and the sensitivity of internal services. No exploit code or proof-of-concept is provided in this document. This information is for defensive and educational purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata
- CVE-2026-10581MEDIUMDedeCMS 5.7.88 SSRF Vulnerability in Download Function