How to fix CVE-2025-70986?

Within 24 hours: Identify and inventory all RuoYi v4.8.2 instances in production and non-production environments; disable the selectDept function if operationally feasible or restrict network access to it. Within 7 days: Implement WAF rules to block suspicious selectDept requests; conduct access logs review for unauthorized department data access attempts; notify affected business units of potential exposure. Within 30 days: Upgrade to patched RuoYi version when available; perform comprehensive security audit of department data access logs; implement additional authentication/authorization controls on sensitive API endpoints.

Is Ruoyi affected by CVE-2025-70986?

CVE-2025-70986 affects RuoYi v4.8.2 deployments, allowing unauthorized attackers to bypass access controls and access sensitive department data without proper authentication.

CVE-2025-70986

HIGH

2026-01-23 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 30, 2026 - 21:26 vuln.today

Public exploit code

CVE Published

Jan 23, 2026 - 19:15 nvd

HIGH 7.5

Description

Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.

Analysis

Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-284 (Improper Access Control). Affects the selectDept component of Ruoyi. Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.

Affected Products

Vendor: Ruoyi. Product: Ruoyi. Versions: up to 4.8.1. Component: selectDept.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

CVE-2025-70986 vulnerability details – vuln.today

Back

CVE-2025-70986

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-70986

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code