Skip to main content

yudao-cloud EUVDEUVD-2026-40416

| CVE-2026-58448 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-f6rh-2m88-w48m
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network endpoint reachable by any authenticated low-privilege user (PR:L) with no UI; broken access control discloses sensitive workflow data (C:H) but cannot modify or disrupt it (I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:N/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 22:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 22:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 22:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 30, 2026 - 22:04 vuln.today

DescriptionCVE.org

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

AnalysisAI

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with any low-privilege account
Delivery
Locate BPM process-instance GET endpoint
Exploit
Supply arbitrary process-instance identifier
Execution
Bypass missing authorization check
Impact
Enumerate IDs and harvest workflow data

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated session (CVSS PR:L - any low-privilege user account, no admin rights), and the target must run a yudao-cloud build before 2026.06 with the BPM module enabled and its process-instance GET endpoint network-reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) describes a network-reachable, low-complexity attack requiring low privileges (any valid account) and no user interaction, with high confidentiality impact but no integrity or availability impact - consistent with an authorization-only data-leak flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains any low-privilege account on a yudao-cloud deployment, authenticates, and issues GET requests to the unguarded BPM process-instance endpoint while iterating through process-instance identifiers. Because no ownership or tenant check runs, each request returns another user's or tenant's workflow data - form submissions, approver names, and approval/rejection comments - which the attacker scripts into a bulk harvest. …
Remediation Vendor-released patch: upgrade to yudao-cloud 2026.06 (jdk8/11 build) from https://github.com/YunaiV/yudao-cloud/releases, which restores the missing authorization control on the BPM process-instance endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: confirm yudao-cloud BPM deployment status and current version in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy