CVE-2026-58375 in jimureport
Summary
by MITRE • 06/30/2026
JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/30/2026
The vulnerability in JimuReport versions through 2.5.0 represents a critical authentication bypass that exposes sensitive reporting functionality to unauthenticated remote attackers. This flaw exists within the POST /jmreport/auto/export endpoint which is deliberately configured to skip authentication checks through the @JimuNoLoginRequired annotation. The JimuReportTokenInterceptor component, designed to enforce security controls, completely bypasses its validation mechanisms for this specific endpoint, creating an unauthorized access pathway that undermines the application's core security architecture. The vulnerability stems from a misconfiguration in the security interceptor logic where the system fails to validate whether auto-export functionality should be enabled for the requested report identifier, allowing arbitrary data extraction regardless of user authentication status.
The technical implementation of this vulnerability creates a dangerous scenario where attackers can enumerate valid Snowflake report identifiers through systematic probing and then exploit the unauthenticated export service to retrieve complete report contents. The system streams rendered reports without verifying the auto-export configuration flag that should normally control access permissions, meaning any valid report id can be requested and exported by unauthorized parties. This exposes not only the structured report data but also any credentials or sensitive information embedded within the data sources that were configured for the reporting queries. The lack of input validation and authorization checks creates a comprehensive data exfiltration vector that bypasses traditional security controls designed to protect sensitive business intelligence.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential credential theft, intellectual property disclosure, and unauthorized access to business-critical information. Attackers can systematically enumerate report identifiers and then extract complete datasets including any embedded database credentials, API keys, or other sensitive authentication material that might be present in the reporting data sources. This vulnerability directly violates fundamental security principles of least privilege and mandatory access controls, as it allows arbitrary external parties to access data that should only be available to authenticated users with appropriate permissions. The affected environment faces risks of regulatory compliance violations and potential financial losses due to unauthorized access to proprietary business information.
Mitigation strategies should focus on implementing proper authentication enforcement for the export endpoint by removing or modifying the @JimuNoLoginRequired annotation and ensuring the JimuReportTokenInterceptor properly validates user credentials before permitting report exports. Organizations should implement additional controls such as rate limiting and request validation to prevent automated enumeration attacks, while also configuring appropriate access controls that verify both user authentication and authorization status for each report export request. The system should validate the auto-export configuration flag and ensure that only authorized users can trigger report exports, with logging and monitoring enabled to detect suspicious access patterns. This vulnerability aligns with CWE-285 (Improper Authorization) and represents a significant risk under ATT&CK technique T1078 (Valid Accounts) as attackers can leverage the exposed functionality to extract sensitive information without proper authentication credentials.