Skip to main content

ruoyi-vue-pro CVE-2026-57950

| EUVDEUVD-2026-40167 HIGH
Incorrect Authorization (CWE-863)
2026-06-29 disclosure@vulncheck.com GHSA-r39c-vf2w-53j7
8.6
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Authenticated low-privilege user (PR:L) sends network requests (AV:N/AC:L) abusing a misnamed permission check to read and modify sale-order data (C:H/I:H); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:34 vuln.today

DescriptionCVE.org

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.

AnalysisAI

Broken access control in the ErpSaleOrderController of ruoyi-vue-pro (through version 2026.05) lets authenticated users holding only shipment-level 'erp:sale-out' permissions perform full create, read, update, and delete operations on financially sensitive ERP sale orders. The controller enforces the wrong permission namespace ('erp:sale-out' instead of the intended 'erp:sale-order'), so low-privileged warehouse/shipment operators effectively gain order-management authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with erp:sale-out permission
Delivery
Call ErpSaleOrderController endpoints
Exploit
Wrong namespace check passes
Execution
Read/create/update/delete sale orders
Impact
Manipulate financial order data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated ruoyi-vue-pro account that has been granted the 'erp:sale-out' (sale shipment) permission, and the deployment must include the ERP module exposing ErpSaleOrderController at version 2026.05 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N, base 8.6 High) describes a network-reachable, low-complexity flaw requiring authentication (PR:L) with high confidentiality and integrity impact and no availability impact - consistent with the description of an authenticated CRUD-level access-control bypass. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A warehouse or logistics user granted only shipment ('erp:sale-out') permissions logs into the ERP and sends authenticated API requests directly to the ErpSaleOrderController endpoints. Because the controller checks the wrong permission namespace, the requests succeed, letting the user read financially sensitive order data and create, alter, or delete sale orders they should never reach. …
Remediation Upstream fix available (commit 5d1fd70dc3e61bf64e7ce3328a71cc60001175c6); a released patched version was not independently confirmed from the input, so pull the fix from the YunaiV/ruoyi-vue-pro repository or rebuild from a build that includes that commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ruoyi-vue-pro instances running version 2026.05 or earlier and generate access logs for ErpSaleOrderController activity; cross-reference shipment-level users ('erp:sale-out' permission holders) against order modification events. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy