CVE-2026-58375 HIGH

CVE-2026-58375: JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

Vendor Jeecgboot
Product jimureport
Weakness CWE-306 · Missing auth
Published June 30, 2026
Last update July 1, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated