Impact
The vulnerability lies in the absence of permission checks on the workflow task management endpoints in RuoYi-Vue-Plus. The FlwTaskController provides actions such as updateAssignee, urge, and listing methods without any class- or method-level authorization annotations, so any user who is authenticated to the system can invoke them. This allows an attacker to reassign approval tasks to arbitrary users, force or accelerate completed tasks, and enumerate all pending or finished tasks, effectively undermining segregation of duties and exposing confidential workflow data.
Affected Systems
RuoYi-Vue-Plus versions up to and including 5.6.2 are affected. The defect was remedied in commit 88d03d9, which introduced SaCheckPermission annotations on the vulnerable endpoints. The product is distributed as open-source by Dromara and is commonly used as a backend for enterprise applications.
Risk and Exploitability
The CVSS score of 7.1 classifies the issue as medium-to-high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need valid credentials to the application; the global authentication requirement is the sole barrier. Because the missing authorization spans the entire controller, a single authenticated user can perform all harmful actions, making exploitation straightforward. The practical impact includes unauthorized task manipulation, policy violation, and potential data exposure.
OpenCVE Enrichment