CVE-2026-11464: JeecgBoot User List Information Disclosure via Salt Parameter
JeecgBoot versions up to 3.9.2 contain a vulnerability in the User List Endpoint that allows authenticated users to disclose sensitive information by manipulating a salt parameter. An attacker with valid credentials can exploit this flaw to access restricted data, though doing so requires specific conditions and technical knowledge. A fix is planned for a future release.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200, CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in JeecgBoot up to 3.9.2. Affected by this vulnerability is the function queryPageList of the file src\main\java\org\jeecg\modules\system\controller\SysUserController.java of the component User List Endpoint. The manipulation of the argument salt leads to information disclosure. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. A fix is planned for the upcoming release.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The queryPageList function in SysUserController.java fails to properly validate or restrict the salt argument supplied by authenticated users. This parameter manipulation leads to information disclosure (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) and represents a violation of access control boundaries (CWE-284: Improper Access Control). The vulnerability requires network access, valid user credentials, and moderately complex attack preparation, as reflected in the CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.
Business impact
While the CVSS score of 3.1 (LOW) reflects limited immediate damage potential, this vulnerability enables authenticated insiders or compromised user accounts to exfiltrate sensitive information without triggering data modification alerts. Organizations relying on JeecgBoot for access control or data segregation should assess whether the exposed information intersects with regulated data (PII, financial records, etc.), as the actual business impact may exceed the technical severity rating in compliance-sensitive environments.
Affected systems
JeecgBoot versions up to and including 3.9.2 are confirmed vulnerable. The vulnerability resides in the User List Endpoint component, making any deployment exposing this endpoint directly accessible to network users a potential target. Organizations should verify their JeecgBoot installation version and review which users and systems have network access to the User List API.
Exploitability
The vulnerability is rated HIGH in attack complexity and is difficult to exploit, yet a public exploit exists. This combination suggests the attack requires knowledge of the salt parameter's role and expected values, plus valid user authentication. The presence of public exploit code elevates the risk that adversaries with basic reconnaissance skills may eventually weaponize it, though active widespread exploitation is not typical for low-severity information disclosure flaws.
Remediation
Upgrade to the patched release once the vendor releases it (verify against official JeecgBoot release notes). Until then, restrict network access to the User List Endpoint via firewall rules or API gateway authentication policies to users who genuinely require it. Audit recent access logs for unusual salt parameter values in queryPageList requests. Consider rotating credentials for accounts with elevated privileges if prior unauthorized access is suspected.
Patch guidance
The vendor has announced a fix is planned for an upcoming release. Monitor the JeecgBoot project repository and security advisories for version announcements. When a patched version is published, validate the release notes confirm remediation of CVE-2026-11464. In testing environments, verify that the salt parameter is now properly validated and that information disclosure no longer occurs when malformed or unexpected values are supplied.
Detection guidance
Monitor access logs for the queryPageList endpoint (src/main/java/org/jeecg/modules/system/controller/SysUserController.java) and look for requests with unusual or repeated salt parameter values, particularly from unexpected user accounts or IP ranges. Correlate with any subsequent data access patterns that suggest sensitive information retrieval. Web application firewalls or API gateways can be configured to flag salt parameters outside expected formats or lengths.
Why prioritize this
Although the CVSS score is LOW, this vulnerability warrants attention for organizations with sensitive user or system data in JeecgBoot deployments. The existence of public exploit code and the ease of initial access (requiring only valid credentials) make it an attractive target for insider threats or post-compromise lateral movement. Prioritize patching if user account metadata, role information, or other administrative data is at risk.
Risk score, explained
CVSS 3.1 (LOW, score 3.1) reflects limited attack surface (requires authentication and high complexity), confined impact (confidentiality only, low scope), and no availability or integrity damage. However, the availability of public exploit code and the sensitivity of the User List Endpoint in access-control systems argue for treating this above baseline LOW-severity handling in environments where user enumeration or metadata leakage has compliance or operational consequences.
Frequently asked questions
Do I need valid credentials to exploit this?
Yes. The CVSS vector shows PR:L (Privileges Required: Low), meaning an authenticated user account is mandatory. External, unauthenticated attackers cannot exploit this directly, but compromised internal accounts or supply-chain access become a risk vector.
What information can an attacker disclose?
The vulnerability permits disclosure of sensitive information via the salt parameter manipulation, but the specific fields exposed are not detailed in the public description. Review your JeecgBoot deployment's User List Endpoint output to determine whether exposed data includes password hashes, role assignments, email addresses, or other PII.
Is this being actively exploited in the wild?
There is no evidence of active exploitation at scale (KEV status is false), though a public exploit exists. However, the presence of public code means exploitation could accelerate if the vulnerability reaches high visibility or if JeecgBoot instances are exposed on the internet without additional access controls.
Should I disable the User List Endpoint entirely?
Disabling it may break application functionality if internal tools depend on user enumeration. Instead, implement strict network segmentation (limit access to trusted internal subnets), enforce multi-factor authentication, and use API gateway rules to validate salt parameters before they reach the application.
This analysis is based on publicly available vulnerability data current as of the publication date. The CVSS score, affected versions, and patch status reflect information from the CVE record and do not constitute a guarantee of completeness or accuracy in all environments. Verify affected system versions and patch applicability against official vendor advisories before remediation. SEC.co does not guarantee exploit availability, active exploitation, or the effectiveness of recommended mitigations in your specific infrastructure. Organizations should conduct their own risk assessment based on their JeecgBoot deployment, user privilege model, and data sensitivity. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11459LOWSecureAge CatchPulse Information Disclosure Vulnerability
- CVE-2026-11458MEDIUMJeeWMS Boot Actuator Information Disclosure Vulnerability
- CVE-2026-10011LOWChrome Skia Cross-Origin Data Leak
- CVE-2026-45154LOWNextcloud Collective Pages Trashbin Access Control Bypass
- CVE-2026-45266LOWNextcloud Unauthorized Call Microphone Mute Vulnerability
- CVE-2026-45277LOWNextcloud Approval Information Disclosure Vulnerability
- CVE-2026-45683LOWOpenTelemetry eBPF Instrumentation Kernel Memory Disclosure
- CVE-2026-45739LOWStrawberry GraphQL Credential Exposure in GraphiQL Headers