Home

Description

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

PUBLISHED Reserved 2026-06-30 | Published 2026-06-30 | Updated 2026-07-14 | Assigner VulnCheck




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

Missing Authorization

Product status

Default status
unaffected

Any version before 2026.06
affected

Credits

George Chen finder

References

github.com/YunaiV/yudao-cloud/releases (Release Notes) release-notes patch

github.com/YunaiV/yudao-cloud/issues/315 (Researcher Disclosure) technical-description exploit

www.vulncheck.com/...access-control-via-process-instance-api third-party-advisory

cve.org (CVE-2026-58448)

nvd.nist.gov (CVE-2026-58448)

Download JSON