LOW 3.1

CVE-2026-11502: JeecgBoot Open Redirect in Third-Party Login – Security Analysis

JeecgBoot versions up to 3.9.2 contain an open redirect vulnerability in the third-party login flow. When users are directed to log in via OAuth providers like DingTalk or WeChat, an attacker can manipulate the state parameter to redirect victims to a malicious website after authentication. The attack requires social engineering—tricking a user into clicking a specially crafted login link—and only affects deployments that have enabled third-party login functionality.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the ThirdLoginController.java component, specifically in the HttpServletResponse.sendRedirect function call. The state parameter used in OAuth authentication flows is not properly validated before being passed to the redirect method, allowing CWE-601 (URL Redirection to Untrusted Site) exploitation. While a proof-of-concept has been disclosed publicly, real-world impact is constrained by two factors: the attack vector requires user interaction (clicking an attacker-controlled OAuth link), and third-party login is an optional feature that may not be enabled in many JeecgBoot installations.

Business impact

Organizations running JeecgBoot with third-party login enabled face credential phishing risk. An attacker could craft a legitimate-looking OAuth login link that, after the user authenticates, redirects them to a credential harvesting site or malicious domain. This is a secondary attack that follows successful social engineering rather than a direct system compromise. The impact is typically reputation damage and user credential exposure rather than direct data breach of the JeecgBoot system itself.

Affected systems

JeecgBoot versions 3.9.2 and earlier are affected. The vulnerability only manifests if third-party login functionality (such as DingTalk or WeChat integration) has been configured and enabled. Default or minimal installations without third-party OAuth integration are not exposed.

Exploitability

The CVSS 3.1 score of 3.1 (LOW) reflects the genuine barriers to exploitation. An attacker must construct a weaponized OAuth login URL and use social engineering to convince a target user to click it. The attack cannot be triggered passively through network reconnaissance or exploit delivery. The project's assessment is accurate: this requires both attacker sophistication and victim cooperation. Public disclosure of a PoC increases theoretical risk but does not fundamentally change the practical difficulty.

Remediation

Upgrade JeecgBoot to a version above 3.9.2 that includes patching of the state parameter validation in ThirdLoginController.java. Organizations unable to upgrade immediately should consider disabling third-party login functionality if not operationally critical, or implement reverse-proxy-level URL filtering to block malformed redirect parameters as a temporary control.

Patch guidance

Consult the JeecgBoot project repository and security advisories for patched versions released after June 2026. Verify that the patch includes input validation and/or allowlisting of redirect destinations in the third-party login flow. Test the patch in a pre-production environment to confirm third-party login functionality remains intact before rolling out to production systems.

Detection guidance

Monitor HTTP logs and reverse-proxy records for ThirdLoginController requests with unusual or suspicious state parameter values, particularly those containing external domains or URL-encoded redirect targets. Implement endpoint monitoring on servers with third-party OAuth enabled to flag redirect calls with non-whitelisted destinations. User education on recognizing phishing and unusual post-login redirects is also valuable.

Why prioritize this

This vulnerability warrants attention but is not critical. The LOW CVSS score, optional nature of the affected feature, and social engineering requirement place it in the medium-term patching queue rather than emergency response. Prioritize it higher if your JeecgBoot deployment actively uses third-party login with external trust, or if you operate in an environment with high social engineering risk (e.g., highly targeted organizations).

Risk score, explained

The CVSS 3.1 score of 3.1 correctly reflects low severity: network-accessible but requires high attack complexity, no privilege elevation, and only results in integrity loss (credential theft via redirect), not confidentiality or availability impact. The vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N appropriately penalizes the high complexity and user interaction requirement. The public PoC increases likelihood but does not change the underlying difficulty or impact ceiling.

Frequently asked questions

Does this affect all JeecgBoot deployments?

No. Only installations that have enabled third-party login (such as DingTalk or WeChat OAuth integration) are vulnerable. JeecgBoot instances using only native authentication are not impacted.

Can an attacker exploit this without user interaction?

No. The attack fundamentally requires a user to click on an attacker-crafted OAuth login link. It cannot be triggered passively through network scanning or automated exploitation.

What is the actual data at risk if this is exploited?

The vulnerability enables credential phishing and post-authentication redirect attacks. An attacker cannot directly steal data from JeecgBoot itself, but can trick users into surrendering credentials to a malicious site or into visiting a phishing domain after a legitimate login.

Should we disable third-party login until we can patch?

If third-party login is not essential to your operations and your user base is small or security-aware, disabling it is a reasonable temporary mitigation. If it is critical to business workflow, proceed with patching in your next scheduled maintenance window and consider supplementary controls such as user education.

This analysis is provided for informational purposes by SEC.co and represents our assessment as of the publication date. Vulnerability severity and exploitability may evolve as new information emerges or as attackers develop new techniques. Always verify patch availability and compatibility with your specific JeecgBoot version and deployment before applying updates. This analysis does not constitute legal advice, and organizations must perform their own risk assessment based on their unique environment and threat model. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).