Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint reachable by any authenticated low-privilege user (PR:L) with no UI; broken access control discloses sensitive workflow data (C:H) but cannot modify or disrupt it (I:N/A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.
AnalysisAI
Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated session (CVSS PR:L - any low-privilege user account, no admin rights), and the target must run a yudao-cloud build before 2026.06 with the BPM module enabled and its process-instance GET endpoint network-reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) describes a network-reachable, low-complexity attack requiring low privileges (any valid account) and no user interaction, with high confidentiality impact but no integrity or availability impact - consistent with an authorization-only data-leak flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains any low-privilege account on a yudao-cloud deployment, authenticates, and issues GET requests to the unguarded BPM process-instance endpoint while iterating through process-instance identifiers. Because no ownership or tenant check runs, each request returns another user's or tenant's workflow data - form submissions, approver names, and approval/rejection comments - which the attacker scripts into a bulk harvest. … |
| Remediation | Vendor-released patch: upgrade to yudao-cloud 2026.06 (jdk8/11 build) from https://github.com/YunaiV/yudao-cloud/releases, which restores the missing authorization control on the BPM process-instance endpoint. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: confirm yudao-cloud BPM deployment status and current version in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Yudao Cloud
View allRemote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary S
Server-side request forgery in YunaiV yudao-cloud 2026.03 allows authenticated administrators to force the server to iss
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40416
GHSA-f6rh-2m88-w48m