CVE-2026-58448

MEDIUM 6.5

yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

CWE	CWE-862
Vendor	yunaiv
Product	yudao-cloud
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for yunaiv yudao-cloud

Be the first to know when new medium vulnerabilities affecting yunaiv yudao-cloud are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

YunaiV / yudao-cloud

0 < 2026.06

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/YunaiV/yudao-cloud/releases#release-v2026.06(jdk8/11) github.com: https://github.com/YunaiV/yudao-cloud/issues/315 vulncheck.com: https://www.vulncheck.com/advisories/yudao-cloud-bpm-module-broken-access-control-via-process-instance-api

Credits

George Chen