CVE-2026-58176

MEDIUM 6.5

RuoYi-Vue-Plus - Missing Authorization on Workflow Task Management Endpoints

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.

CWE	CWE-862
Vendor	dromara
Product	ruoyi-vue-plus
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for dromara ruoyi-vue-plus

Be the first to know when new medium vulnerabilities affecting dromara ruoyi-vue-plus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

dromara / RuoYi-Vue-Plus

0 ≤ 5.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dromara/RuoYi-Vue-Plus/issues/44 github.com: https://github.com/dromara/RuoYi-Vue-Plus/commit/88d03d970d4d1e96e4fb2dfefaf19f627e8673e9 vulncheck.com: https://www.vulncheck.com/advisories/ruoyi-vue-plus-missing-authorization-on-workflow-task-management-endpoints

Credits

George Chen