MEDIUM 6.3

CVE-2026-10241: JimuReport SSRF in File Download Function – Patch to 3.9.2

JimuReport (jeecgboot) versions up to 3.9.1 contain a server-side request forgery (SSRF) vulnerability in a file download function exposed via a debug endpoint. An authenticated attacker can manipulate the application into making arbitrary network requests on behalf of the server, potentially accessing internal resources, cloud metadata, or other services not directly exposed to the internet. The vulnerability is reachable over the network and exploit code is publicly available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the FileDownloadUtils.download2DiskFromNet function within the /airag/app/debug endpoint of jeecgboot. This function fails to properly validate or restrict the network destinations it connects to when downloading files. An attacker with valid credentials can specify arbitrary URLs, causing the server to initiate HTTP/HTTPS requests to internal or restricted systems. This maps to CWE-918 (Server-Side Request Forgery), a class of attacks that exploit backend services' trusted network position to pivot toward internal infrastructure.

Business impact

An authenticated user—potentially an insider or someone with compromised credentials—can abuse this function to enumerate and interact with internal services, cloud metadata endpoints (a particularly high-value target in cloud-native deployments), or other backend systems. This could lead to exposure of sensitive configuration data, API keys, authentication tokens, or credentials stored in metadata services. In multi-tenant or managed service scenarios, this may enable cross-tenant data access or lateral movement within the infrastructure.

Affected systems

JimuReport (jeecgboot) through version 3.9.1 is affected. The vulnerability is specific to installations that expose the /airag/app/debug endpoint and require authentication; however, the presence of a debug endpoint in production is itself a significant operational risk. Verify your deployed version against your vendor's release notes and confirm whether the debug endpoint is accessible in your environment.

Exploitability

The attack requires valid credentials (PR:L in the CVSS vector), but no user interaction is needed. Public exploit code is available, lowering the bar for attackers. The network-accessible nature (AV:N) and low attack complexity (AC:L) mean that any authenticated user—including low-privileged employees or attackers using compromised accounts—can execute this attack with readily available tools.

Remediation

Upgrade jeecgboot to version 3.9.2 or later, which mitigates this vulnerability. Additionally, apply defense-in-depth practices: restrict network access to the /airag/app/debug endpoint (disable in production if possible), implement egress filtering on your application servers to limit outbound connections to known-required services, and audit any debug or admin endpoints for unnecessary exposure.

Patch guidance

Vendor guidance indicates that upgrading to version 3.9.2 resolves this issue. Verify the current version of jeecgboot in your environment and test the patch in a non-production setting before production deployment. If you cannot upgrade immediately, consider disabling or network-restricting access to the /airag/app/debug endpoint and review IAM policies to limit who holds credentials that can reach this endpoint.

Detection guidance

Monitor outbound HTTP/HTTPS connections from your jeecgboot application servers, particularly to unexpected or internal IP ranges, cloud metadata service IPs (169.254.169.254), or unusual ports. Log and alert on requests to the /airag/app/debug endpoint. Review application logs for calls to FileDownloadUtils.download2DiskFromNet with suspicious URLs. In cloud environments, enable VPC Flow Logs or equivalent to detect unexpected egress traffic patterns from application instances.

Why prioritize this

Although the CVSS score is MEDIUM (6.3), this vulnerability warrants prompt attention because: (1) public exploit code is available, (2) it targets a particularly sensitive attack surface—cloud metadata endpoints—which could expose credentials and configuration, and (3) the presence of a debug endpoint in production is often overlooked in risk assessments. For cloud-hosted deployments, prioritize this higher due to metadata exposure risk.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a network-accessible vulnerability requiring low privileges and causing limited confidentiality, integrity, and availability impact (C:L, I:L, A:L). The score does not account for the widespread use of cloud deployments where metadata exposure has outsized business impact, nor does it weight the availability of public exploits. Security teams should consider their deployment context—particularly cloud infrastructure—when prioritizing this above the nominal MEDIUM rating.

Frequently asked questions

Does this vulnerability require the attacker to have network access to the server?

Yes, but only to reach the application itself. The attacker must be authenticated (have valid credentials). The vulnerability then allows them to make outbound requests from the server to arbitrary network destinations, including internal services the server can reach.

Is the /airag/app/debug endpoint supposed to be in production?

Debug endpoints should never be exposed in production environments. If you find this endpoint accessible, treat it as a critical configuration issue independent of this specific CVE. Disable it immediately and audit for other debug or admin features that may be unintentionally exposed.

What is the relationship between this vulnerability and cloud metadata endpoints?

Server-side request forgery is particularly dangerous in cloud environments because attackers commonly exploit it to query cloud metadata services (e.g., AWS EC2 metadata) to steal credentials, tokens, and configuration. This vulnerability's presence in a component that handles file downloads makes it a direct threat to cloud-deployed instances.

Can I mitigate this without upgrading if I restrict network access?

Partial mitigation is possible: restrict network access to /airag/app/debug, implement egress filtering to block connections to internal IP ranges and metadata services, and audit IAM permissions. However, these are temporary measures. Upgrading to 3.9.2 is the proper fix.

This analysis is based on publicly available CVE data and vendor advisories as of the publication date. Security teams should verify patch availability and compatibility with their specific deployment before applying updates. The presence of public exploit code does not guarantee successful exploitation in all environments; however, it significantly lowers the barrier to attack. This document does not constitute legal or compliance advice. Organizations should assess their own risk tolerance, regulatory requirements, and business context when prioritizing remediation. Always test patches in a controlled environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).