Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:L reflects required authentication; C:L added over NVD C:N because task enumeration endpoints expose operational approval-queue data; I:H retained for workflow reassignment.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.
AnalysisAI
Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of any valid authenticated session in a RuoYi-Vue-Plus deployment running version 5.6.2 or earlier - no specific role, administrative privilege, or elevated permission is needed beyond standard login. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium), accurately capturing the low-complexity network-accessible nature and high integrity impact from workflow reassignment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A publicly available exploit is referenced in GitHub issue #44 (https://github.com/dromara/RuoYi-Vue-Plus/issues/44). An attacker with any valid low-privileged account authenticates to the RuoYi-Vue-Plus application and sends a crafted HTTP POST to /workflow/task/updateAssignee with a target task ID and a chosen assignee user ID, rerouting a pending financial or access-control approval away from the designated approver to an account the attacker controls. … |
| Remediation | Apply the upstream fix from commit 88d03d970d4d1e96e4fb2dfefaf19f627e8673e9 (https://github.com/dromara/RuoYi-Vue-Plus/commit/88d03d970d4d1e96e4fb2dfefaf19f627e8673e9), which adds SaCheckPermission annotations to the sensitive workflow task endpoints; note that a specific patched release version number has not been independently confirmed beyond this commit, so operators should verify their build incorporates this change. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory RuoYi-Vue-Plus deployments and identify version; if version 5.6.2 or earlier, restrict /workflow/task endpoint access to authorized approval roles and audit recent approval logs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ruoyi Vue Plus
View allRuoYi-Vue-Plus (through 5.5.1) allows arbitrary file read/write through QLExpress expression evaluation in the snailjob
A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerabilit
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40356
GHSA-mqqv-459v-978p