Back to overview

CVE-2026-58448

MEDIUM
6.5
CVSS 3.1
Description
yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

Metadata

CVE ID
CVE-2026-58448
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-30 19:09 UTC
Published
2026-06-30 21:06 UTC
Last updated
2026-06-30 21:06 UTC
Primary CWE
CWE-862
Missing Authorization
Vendor / Product
YunaiV / yudao-cloud
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
YunaiV yudao-cloud 0 < 2026.06
Weakness (CWE)
CWESourceDescription
CWE-862 cna Missing Authorization
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Back to overview