CVE-2026-58375 | JimuReport through 2.5.0 exposes the POST /jmreport/auto/exp… | CVSS 7.5 HIGH

Description

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Metadata

CVE ID: CVE-2026-58375
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-30 12:43 UTC
Published: 2026-06-30 15:58 UTC
Last updated: 2026-06-30 15:58 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: jeecgboot / jimureport
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
jeecgboot	jimureport	—	0 ≤ 2.5.0

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)