Skip to main content

RuoYi-Vue-Plus CVE-2026-58176

| EUVDEUVD-2026-40356 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-mqqv-459v-978p
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

PR:L reflects required authentication; C:L added over NVD C:N because task enumeration endpoints expose operational approval-queue data; I:H retained for workflow reassignment.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 30, 2026 - 17:23 vuln.today
Severity Changed
Jun 30, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 17:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)

DescriptionCVE.org

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.

AnalysisAI

Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege account credentials
Delivery
Authenticate to RuoYi-Vue-Plus REST API
Exploit
Send crafted POST to /workflow/task/updateAssignee with target task ID
Execution
Redirect pending approval to attacker-controlled account
Persist
Approve diverted workflow task
Impact
Bypass segregation-of-duties control

Vulnerability AssessmentAI

Exploitation Exploitation requires possession of any valid authenticated session in a RuoYi-Vue-Plus deployment running version 5.6.2 or earlier - no specific role, administrative privilege, or elevated permission is needed beyond standard login. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium), accurately capturing the low-complexity network-accessible nature and high integrity impact from workflow reassignment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A publicly available exploit is referenced in GitHub issue #44 (https://github.com/dromara/RuoYi-Vue-Plus/issues/44). An attacker with any valid low-privileged account authenticates to the RuoYi-Vue-Plus application and sends a crafted HTTP POST to /workflow/task/updateAssignee with a target task ID and a chosen assignee user ID, rerouting a pending financial or access-control approval away from the designated approver to an account the attacker controls. …
Remediation Apply the upstream fix from commit 88d03d970d4d1e96e4fb2dfefaf19f627e8673e9 (https://github.com/dromara/RuoYi-Vue-Plus/commit/88d03d970d4d1e96e4fb2dfefaf19f627e8673e9), which adds SaCheckPermission annotations to the sensitive workflow task endpoints; note that a specific patched release version number has not been independently confirmed beyond this commit, so operators should verify their build incorporates this change. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory RuoYi-Vue-Plus deployments and identify version; if version 5.6.2 or earlier, restrict /workflow/task endpoint access to authorized approval roles and audit recent approval logs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy