Submit #803077: xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypassinfo

Titlexuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypass
DescriptionThe admin-side OpenAPI entrypoint explicitly disables SSO login and relies solely on the XXL-JOB-ACCESS-TOKEN header for authorization. At the same time, the default configuration file sets the token to a fixed public value: default_token. Because the sample and default deployment flow does not force operators to replace this secret before exposing the service, the product can be deployed in an insecure state by default.
Source⚠️ https://github.com/xuxueli/xxl-job/issues/3938
User
 larlarua (UID 97278)
Submission04/12/2026 11:32 (3 months ago)
Moderation04/28/2026 13:45 (16 days later)
StatusAccepted
VulDB entry359961 [Xuxueli xxl-job up to 3.3.2 OpenAPI Endpoint OpenApiController.java default_token hard-coded key]
Points20

Do you need the next level of professionalism?

Upgrade your account now!