{
  "variant_id": "CVE-2026-58377-V01",
  "created_at": "2026-07-05T16:07:00Z",
  "variant_summary": "Alternate trigger of CVE-2026-58377's broken access control. The same root cause (missing Shiro @RequiresRoles annotations + Shiro filter chain mapping /** to the auth-only jwt filter) is reachable via two additional OpenAPI controllers the parent reproduction never tested: OpenApiLogController (/openapi/record/*) — full CRUD on OpenAPI audit logs by a low-priv user (NEW surface, absent from the CVE description), and OpenApiPermissionController (/openapi/permission/*) — grant permissions on any auth record and enumerate OpenAPI definitions (CVE-claimed but not exercised by repro). Confirmed on JeecgBoot v3.9.2 (latest release; master HEAD is byte-identical). No official patch exists.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/jeecgboot/JeecgBoot",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "7df07a823fd558be857d0208ccae96342539fbc1",
    "version": "3.9.2",
    "ref": "v3.9.2",
    "display": "jeecgboot/JeecgBoot v3.9.2 (commit 7df07a8)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "7df07a823fd558be857d0208ccae96342539fbc1",
    "version": "3.9.2",
    "ref": "v3.9.2",
    "display": "jeecgboot/JeecgBoot v3.9.2 == latest release; master HEAD 32a8dfe byte-identical for affected controllers; no patch exists"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "low",
  "claimed_surface": "OpenApiAuthController /openapi/auth/* (parent reproduction) and OpenApiPermissionController /openapi/permission/* (CVE description, not reproduced)",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "JeecgBoot 3.9.2 HTTP API at http://127.0.0.1:8080/jeecg-boot — /openapi/record/* (OpenApiLogController) and /openapi/permission/* (OpenApiPermissionController), authenticated via low-priv JWT (X-Access-Token)",
  "attacker_controlled_input": "authenticated low-privileged user JWT token (ceshi/test role, password 123456) plus request body/params (apiId, callAuthId, apiAuthId) controlling which protected resource is read/mutated",
  "trigger_path": "POST /jeecg-boot/sys/login (ceshi) -> [GET /openapi/record/list | POST /openapi/record/add | DELETE /openapi/record/delete | GET /openapi/record/queryById | POST /openapi/permission/add | GET /openapi/permission/getOpenApi] with X-Access-Token; negative control POST /openapi/add rejected",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": null,
  "file_path": "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiLogController.java",
  "line_start": 32,
  "line_end": 98,
  "secondary_anchors": [
    {
      "file_path": "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiPermissionController.java",
      "line_start": 13,
      "line_end": 20
    },
    {
      "file_path": "jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroConfig.java",
      "line_start": 202,
      "line_end": 202
    },
    {
      "file_path": "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiAuthController.java",
      "line_start": 22,
      "line_end": 110
    }
  ],
  "review_scope_paths": [
    "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiLogController.java",
    "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiPermissionController.java",
    "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiAuthController.java",
    "jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/openapi/controller/OpenApiController.java",
    "jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroConfig.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/http/record_list_ceshi.json",
      "bundle/vuln_variant/http/record_add_ceshi.json",
      "bundle/vuln_variant/http/record_delete_ceshi.json",
      "bundle/vuln_variant/http/record_queryById_ceshi.json",
      "bundle/vuln_variant/http/permission_add_ceshi.json",
      "bundle/vuln_variant/http/permission_getOpenApi_ceshi.json",
      "bundle/vuln_variant/http/openapi_add_negcontrol.json"
    ]
  }
}
