Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated low-privilege user (PR:L) sends network requests (AV:N/AC:L) abusing a misnamed permission check to read and modify sale-order data (C:H/I:H); no availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
AnalysisAI
Broken access control in the ErpSaleOrderController of ruoyi-vue-pro (through version 2026.05) lets authenticated users holding only shipment-level 'erp:sale-out' permissions perform full create, read, update, and delete operations on financially sensitive ERP sale orders. The controller enforces the wrong permission namespace ('erp:sale-out' instead of the intended 'erp:sale-order'), so low-privileged warehouse/shipment operators effectively gain order-management authority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated ruoyi-vue-pro account that has been granted the 'erp:sale-out' (sale shipment) permission, and the deployment must include the ERP module exposing ErpSaleOrderController at version 2026.05 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N, base 8.6 High) describes a network-reachable, low-complexity flaw requiring authentication (PR:L) with high confidentiality and integrity impact and no availability impact - consistent with the description of an authenticated CRUD-level access-control bypass. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A warehouse or logistics user granted only shipment ('erp:sale-out') permissions logs into the ERP and sends authenticated API requests directly to the ErpSaleOrderController endpoints. Because the controller checks the wrong permission namespace, the requests succeed, letting the user read financially sensitive order data and create, alter, or delete sale orders they should never reach. … |
| Remediation | Upstream fix available (commit 5d1fd70dc3e61bf64e7ce3328a71cc60001175c6); a released patched version was not independently confirmed from the input, so pull the fix from the YunaiV/ruoyi-vue-pro repository or rebuild from a build that includes that commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all ruoyi-vue-pro instances running version 2026.05 or earlier and generate access logs for ErpSaleOrderController activity; cross-reference shipment-level users ('erp:sale-out' permission holders) against order modification events. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40167
GHSA-r39c-vf2w-53j7