Impact
The vulnerability is a broken access control flaw in the ErpSaleOrderController that allows an attacker to use the misconfigured permission namespace to perform create, update, delete, and read operations on financial sale orders. Because the controller enforces the erp:\\s sale-out namespace instead of the intended erp:\\s sale-order namespace, anyone with erp:sale-out or related shipment-level permissions can exploit this weakness. The weakness is classified as CWE-863, indicating an improper authorization check that permits unauthorized users to access privileged functionality.
Affected Systems
The affected product is Yunai's ruoyi-vue-pro, with versions up to 2026.05. The defect is fixed in commit 5d1fd70dc3e61bf64e7ce3328a71cc60001175c6. Systems running any pre‑2026.05 release of ruoyi-vue-pro are vulnerable.
Risk and Exploitability
The CVSS score of 8.6 indicates high severity. The EPSS score is not available, so the probability of exploitation cannot be quantified, but the fact that the vulnerability requires only legitimate erp:sale-out level access means it can be abused by users who already have such permissions. The vulnerability is not listed in CISA KEV. Attackers therefore would need authenticated access with the specific permissions, and would exploit the incorrect namespace enforcement to gain unauthorized access to sensitive sale orders.
OpenCVE Enrichment