MEDIUM 5.3

CVE-2026-11458: JeeWMS Boot Actuator Information Disclosure Vulnerability

A flaw in erzhongxmu JeeWMS allows unauthenticated attackers to access sensitive information through an exposed Boot Actuator Endpoint at /base-boot/actuator. The vulnerability requires no special conditions to exploit and can be triggered over the network. While the issue is rated MEDIUM severity and does not allow data modification or system disruption, the information disclosure risk warrants prompt remediation. Public exploit code is available, increasing the likelihood of opportunistic attacks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200, CWE-284
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11458 is an information disclosure vulnerability affecting the Boot Actuator Endpoint component in erzhongxmu JeeWMS. The flaw stems from insufficient access controls (CWE-284) and improper information handling (CWE-200) in the /base-boot/actuator endpoint. The vulnerability is network-accessible, requires no authentication or user interaction, and operates in a manner that suggests the endpoint may expose internal system state or configuration data that should remain restricted. The affected component is part of the application's boot and management infrastructure, which typically handles sensitive operational metadata. JeeWMS uses a rolling release model, complicating version tracking and patch correlation.

Business impact

Information disclosure through this endpoint could expose internal system architecture, configuration details, or operational metadata to attackers. For organizations relying on JeeWMS for warehouse management, this breach of confidentiality may compromise compliance posture if sensitive business or customer data is inadvertently revealed. The public availability of exploit code increases attack surface exposure, particularly for internet-facing JeeWMS instances. While direct system compromise is not possible via this vector, the disclosed information could facilitate secondary attacks or social engineering efforts.

Affected systems

erzhongxmu JeeWMS up to and including commit 141740afb2ba14d441c82a833d0a418d07ca2d69 is affected. The rolling release delivery model means version numbers are not tracked, making it difficult to determine patch status based on traditional versioning. Organizations must rely on commit hash or actual testing to verify remediation. Any JeeWMS instance with the /base-boot/actuator endpoint accessible over a network should be considered potentially vulnerable until confirmed patched.

Exploitability

This vulnerability has a low barrier to exploitation. No authentication is required, no special conditions must be met, and the attack is trivial to execute remotely—an unauthenticated actor can probe the endpoint directly via HTTP. Public exploit code availability significantly increases the probability of automated scanning and attack attempts. The CVSS score of 5.3 reflects the network accessibility and lack of prerequisite conditions, though impact is limited to confidentiality.

Remediation

Organizations should update JeeWMS to a patched version beyond commit 141740afb2ba14d441c82a833d0a418d07ca2d69. Given the rolling release model, verify the current commit hash in your deployment and compare against vendor advisories or pull the latest build if available. Alternatively, restrict network access to the /base-boot/actuator endpoint using a Web Application Firewall (WAF), reverse proxy, or network segmentation until a verified patch is deployed. Disable or remove the Boot Actuator Endpoint if it is not required for operations.

Patch guidance

Verify the current commit of your JeeWMS deployment. Check erzhongxmu's official repository or advisory channels for confirmation that your running version is at or beyond a patched commit post-141740afb2ba14d441c82a833d0a418d07ca2d69. Because JeeWMS uses rolling releases without traditional version numbers, pull the latest main branch or release tag and test in a staging environment before production deployment. Document the commit hash after patching for audit purposes.

Detection guidance

Monitor for HTTP requests to /base-boot/actuator endpoints, particularly those from external or untrusted networks. Log and alert on successful responses from this path. If your JeeWMS instance exposes this endpoint, review recent access logs for reconnaissance activity. Network-based detection should flag any attempts to access management or actuator endpoints from unexpected sources. Application Performance Monitoring (APM) tools can help identify unusual data exfiltration patterns following endpoint access.

Why prioritize this

Although rated MEDIUM severity, this vulnerability merits prompt remediation due to public exploit availability and the low attack complexity. Information disclosure from management endpoints can facilitate lateral movement or social engineering. The lack of vendor responsiveness and reliance on rolling releases means patches may be delayed or difficult to track, increasing the window of exposure. For internet-facing JeeWMS instances, this should be addressed within 1–2 weeks.

Risk score, explained

The CVSS:3.1 score of 5.3 (MEDIUM) reflects network accessibility and no authentication requirement (AV:N, PR:N, UI:N), resulting in a moderate impact to confidentiality (C:L). Integrity and availability are not affected (I:N, A:N), and the scope is unchanged (S:U). The score appropriately captures the risk of information disclosure without systemic compromise, but does not account for the downstream risk amplification from public exploits or the operational friction of rolling releases.

Frequently asked questions

What is the /base-boot/actuator endpoint?

The /base-boot/actuator is a management endpoint typically used for system introspection and operational monitoring. In the context of JeeWMS, it likely exposes internal metrics, configuration, or state data intended for administrators. This vulnerability allows unauthenticated remote access to that sensitive information.

Does this vulnerability allow remote code execution or system takeover?

No. This is an information disclosure flaw only. It does not permit attackers to modify data, execute code, or disrupt service availability. However, the information disclosed may be used to plan additional attacks.

How do I know if I am running a patched version given the rolling release model?

Check the commit hash of your running JeeWMS instance and verify it is later than 141740afb2ba14d441c82a833d0a418d07ca2d69. Consult the official erzhongxmu repository or security advisories for confirmation. If you cannot determine your commit, pull the latest code from the primary branch, test it in a non-production environment, and deploy after validation.

Why did the vendor not respond to early disclosure?

The vendor did not acknowledge or respond to disclosure efforts prior to publication. This suggests either organizational capacity constraints or reduced active maintenance. Organizations using JeeWMS should monitor the project's repository and security channels directly for updates, rather than rely on vendor-coordinated disclosure.

This analysis is based on the publicly disclosed vulnerability record as of the publication date. Exploit details are withheld to prevent misuse. Verify all patch versions, commit hashes, and remediation steps against official vendor sources before deployment. The rolling release model used by JeeWMS means version tracking may be incomplete; organizations must validate patch status independently. This vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the analysis date, but public exploits exist and should be treated as active threats. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).