CVE 6.5 MEDIUM

yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API_CVE-2026-58448

6.5 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

Basic Information

ID CVE-2026-58448
Source VulnCheck
Published Jun 30, 2026 at 21:06

Affected Product

Vendor YunaiV
Product yudao-cloud
Affected Versions YunaiV yudao-cloud 0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.