CVE-2026-58448
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| YunaiV | yudao-cloud | 0 < 2026.06 | affected |
Weaknesses
- CWE-862: Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/YunaiV/yudao-cloud/releases#release-v2026.06(jdk8/11)
- https://github.com/YunaiV/yudao-cloud/issues/315
- https://www.vulncheck.com/advisories/yudao-cloud-bpm-module-broken-access-control-via-process-instance-api
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.