CVE-2026-7306 MEDIUM

CVE-2026-7306: Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key

Vendor Xuxueli

Product xxl-job

Weakness CWE-321

Published April 28, 2026

Last update April 30, 2026

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Key dates

Disclosure timeline

April 28, 2026 CVE published

April 30, 2026 Record updated

Identifiers

CVE CVE-2026-7306

CWE CWE-321

CVSS 6.3 / MEDIUM

Affected versions

Vendor Xuxueli

Product xxl-job

Affected 3.3.0

Vendor Xuxueli

Product xxl-job

Affected 3.3.1

Vendor Xuxueli

Product xxl-job

Affected 3.3.2