Description
A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the SaServletFilter component of the Workflow Module; by manipulating the /workflow/instance/deleteByInstanceIds endpoint an attacker can bypass authorization and delete workflow instances without permission, potentially causing data loss and business process disruption. The flaw is a broken access control deficiency (CWE‑862) and other access control issue (CWE‑863).

Affected Systems

Affected products are the Dromara RuoYi‑Vue‑Plus workflow module up to version 5.5.3. Any deployment of this software that relies on the SaServletFilter for the /workflow/instance/deleteByInstanceIds endpoint is impacted. No other versions have been confirmed as affected.

Risk and Exploitability

CVSS score 5.3 indicates moderate severity; EPSS <1% suggests very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. However, the exploit is publicly available and can be triggered remotely through standard HTTP requests. Lack of an official fix means the risk remains until a vendor patch or a workaround is applied.

Generated by OpenCVE AI on April 17, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade RuoYi‑Vue‑Plus to a version newer than 5.5.3 when available.
  • If an upgrade is not possible, restrict access to the /workflow/instance/deleteByInstanceIds endpoint with network firewall rules or application‑level authorization policies to block unauthorized users.
  • Monitor system logs for attempts to delete workflow instances and investigate any unauthorized deletions.

Generated by OpenCVE AI on April 17, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dromara:ruoyi-vue-plus:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dromara
Dromara ruoyi-vue-plus
Vendors & Products Dromara
Dromara ruoyi-vue-plus

Fri, 20 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization
Weaknesses CWE-862
CWE-863
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dromara Ruoyi-vue-plus
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:00:57.578Z

Reserved: 2026-02-19T17:12:58.633Z

Link: CVE-2026-2819

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-20T02:16:55.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses