{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7306", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-28T11:45:16.427Z", "datePublished": "2026-04-28T19:30:13.749Z", "dateUpdated": "2026-04-30T12:58:07.137Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T19:30:13.749Z"}, "title": "Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Xuxueli", "product": "xxl-job", "versions": [{"version": "3.3.0", "status": "affected"}, {"version": "3.3.1", "status": "affected"}, {"version": "3.3.2", "status": "affected"}], "cpes": ["cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"], "modules": ["OpenAPI Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.6, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-28T13:50:29.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "larlarua (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359961", "name": "VDB-359961 | Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359961/cti", "name": "VDB-359961 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/803077", "name": "Submit #803077 | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3938", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3938#issuecomment-4149938881", "tags": ["issue-tracking"]}, {"url": "https://github.com/xuxueli/xxl-job/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-30T12:57:53.118222Z", "id": "CVE-2026-7306", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T12:58:07.137Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7306", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-30T12:57:53.118222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T12:58:02.367Z"}}], "cna": {"title": "Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "larlarua (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"], "vendor": "Xuxueli", "modules": ["OpenAPI Endpoint"], "product": "xxl-job", "versions": [{"status": "affected", "version": "3.3.0"}, {"status": "affected", "version": "3.3.1"}, {"status": "affected", "version": "3.3.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-28T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-28T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-28T13:50:29.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359961", "name": "VDB-359961 | Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359961/cti", "name": "VDB-359961 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/803077", "name": "Submit #803077 | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3938", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3938#issuecomment-4149938881", "tags": ["issue-tracking"]}, {"url": "https://github.com/xuxueli/xxl-job/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-320", "description": "Key Management Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T19:30:13.749Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7306", "state": "PUBLISHED", "dateUpdated": "2026-04-30T12:58:07.137Z", "dateReserved": "2026-04-28T11:45:16.427Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-28T19:30:13.749Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-7306", "lastModified": "2026-04-29T21:16:21.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T22:16:51.060", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/"}, {"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/issues/3938"}, {"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/issues/3938#issuecomment-4149938881"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/803077"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359961"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359961/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "xxl-job", "source": "cna", "vendor": "Xuxueli"}, "product": "xxl-job", "vendor": "xuxueli"}], "analysis": {"en": {"generated_at": "2026-04-29T02:37:38.733396+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 3.3.2 where the hard\u2011coded key is removed or corrected.", "If an upgrade is not immediately possible, restrict network access to the OpenAPI endpoint so that only trusted hosts can reach it.", "Replace or disable the default_token handling by implementing a secure, randomly generated token or enforcing proper authentication for the OpenAPI routes."], "summary": {"action": "Patch", "impact": "Authentication Bypass / Privileged Access"}, "threat_synthesis": {"affected_systems": "Affected releases are Xuxueli XxL-Job versions 3.3.2 and earlier, specifically the xxl-job-admin module that hosts the OpenAPI endpoint. All instances running any of these versions expose the vulnerability until a release that removes the hard\u2011coded key or implements proper token handling is deployed.", "description_and_impact": "The vulnerability resides in Xuxueli XxL-Job's OpenAPI endpoint, where manipulation of the default_token parameter causes the application to use a hard\u2011coded cryptographic key. Based on the description, it is inferred that this may allow an attacker to bypass authentication and access privileged API routes that can trigger arbitrary job executions or other sensitive operations. The CVE description indicates that the exploit can be launched remotely and requires a high level of complexity, but it has been publicly disclosed.", "risk_and_exploitability": "The CVSS score of 6.3 denotes medium severity; no EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is remote, needing only HTTP requests to the OpenAPI endpoint, and though the exploit is considered difficult due to high complexity, public disclosure implies a realistic threat. Therefore, administrators should evaluate the risk of unauthorized access to the job scheduler and mitigate accordingly."}}}}, "created": "2026-04-29T00:30:15.868944+00:00", "updated": "2026-04-29T02:45:35.948892+00:00", "vendors": ["xuxueli", "xuxueli$PRODUCT$xxl-job"]}