CVE-2026-5616 | JeecgBoot 3.9.0/3.9.1 AI Chat JeecgBizToolsProvider.java missing authentication (Issue 9464)

VDB-355407 · CVE-2026-5616 · ISSUE 9464 JEECGBOOT 3.9.0/3.9.1 AI CHAT JEECGBIZTOOLSPROVIDER.JAVA MISSING AUTHENTICATION HISTORYDIFFRELATEJSONXMLCTI Summaryinfo A vulnerability has been found in JeecgBoot 3.9.0/3.9.1 and classified as critical. This affects an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Performing a manipulation results in missing authentication. This vulnerability is reported as CVE-2026-5616. The attack is possible to be carried out remotely. No exploit exists. It is recommended to apply a patch to fix this issue. The project fixed the issue with a commit which shall be part of the next official release. Detailsinfo A vulnerability was found in JeecgBoot 3.9.0/3.9.1. It has been classified as critical. This affects an unknown part of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. The manipulation with an unknown input leads to a missing authentication vulnerability. CWE is classifying the issue as CWE-306. The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. This is going to have an impact on confidentiality, integrity, and availability. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-5616. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The project fixed the issue with a commit which shall be part of the next official release. Applying the patch b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59 is able to eliminate this problem. The bugfix is ready for download at github.com. Productinfo Name JeecgBoot Version 3.9.0 3.9.1 License open-source Website Product: https://github.com/jeecgboot/JeecgBoot/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 7.3 VulDB Meta Temp Score: 7.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Missing authentication CWE: CWE-306 / CWE-287 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59 Timelineinfo 04/05/2026 Advisory disclosed 04/05/2026 +0 days VulDB entry created 04/05/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: 9464 Status: Confirmed Confirmation: 🔒 CVE: CVE-2026-5616 (🔒) GCVE (CVE): GCVE-0-2026-5616 GCVE (VulDB): GCVE-100-355407 Entryinfo Created: 04/05/2026 17:45 Changes: 04/05/2026 17:45 (57) Complete: 🔍 Submitter: anch0r Cache ID: 99:2CC:101 Submitinfo Accepted Submit #785570: JeecgBoot 3.9.0, 3.9.1 Improper Access Controls (by anch0r) Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸