Skip to main content

ruoyi-vue-pro CVE-2026-57949

| EUVDEUVD-2026-40166 HIGH
Missing Authorization (CWE-862)
2026-06-29 disclosure@vulncheck.com GHSA-pv3j-frmx-3v9q
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable API needing only a low-privilege authenticated account (PR:L) with no user interaction; impact is unauthorized data disclosure only, so C:H and I:N/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:33 vuln.today

DescriptionCVE.org

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.

AnalysisAI

Broken object-level authorization (IDOR) in the ruoyi-vue-pro CRM module lets any authenticated user read arbitrary follow-up records via the GET /admin-api/crm/follow-up-record/get endpoint, which fails to verify record ownership. Because record IDs are sequential integers, a low-privileged user can enumerate IDs to harvest other users' follow-up notes, file attachments, scheduling data, and linked business-entity references. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Reach CRM follow-up-record/get API
Exploit
Iterate sequential numeric ID parameter
Execution
Server skips ownership check
Impact
Exfiltrate other users' CRM records

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account on the target ruoyi-vue-pro instance (CVSS PR:L) with reachability to the CRM module's GET /admin-api/crm/follow-up-record/get endpoint; the attacker supplies arbitrary sequential numeric ID values in the request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H, base 7.1) is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated account), no user interaction, and a pure confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with any valid low-privileged CRM account scripts requests to GET /admin-api/crm/follow-up-record/get while incrementing the numeric ID parameter, walking the sequential key space. Each request returns another user's follow-up record - notes, attachments, schedules, and business-entity references - allowing bulk harvesting of CRM data the attacker was never authorized to see. …
Remediation Upstream fix available (commit c779a47); a tagged/released patched version is not independently confirmed from the provided data, so operators should update to a build that incorporates commit c779a476617c58a38904191094d22df254b42542 (see https://github.com/YunaiV/ruoyi-vue-pro/commit/c779a476617c58a38904191094d22df254b42542 and issue https://github.com/YunaiV/ruoyi-vue-pro/issues/1159). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all ruoyi-vue-pro CRM instances in your environment and restrict network access to /admin-api/crm/follow-up-record endpoints via WAF or firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy