CVE Catalog

CVE-2026-58375

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile — higher than 37% of all known CVEs

Summary

JimuReport up to version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The @JimuNoLoginRequired annotation causes all access controls to be skipped, and the export service streams the report for any supplied ID without verifying the auto-export configuration flag. An unauthenticated attacker can enumerate Snowflake report identifiers and export the full contents of any report, including data from SQL queries and credentials embedded in data sources.

Risk Assessment

The organization is at risk of sensitive business data and database credentials leakage. An unauthenticated attacker can gain full access to all reports, potentially leading to data confidentiality and integrity breaches.

Recommendation

Immediately update JimuReport to a version newer than 2.5.0 that fixes this vulnerability. Until the update is applied, block access to the /jmreport/auto/export endpoint at the firewall or reverse proxy level.

Original NVD description (English source)

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS