Description
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.
Published: 2026-06-30
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the absence of permission checks on the workflow task management endpoints in RuoYi-Vue-Plus. The FlwTaskController provides actions such as updateAssignee, urge, and listing methods without any class- or method-level authorization annotations, so any user who is authenticated to the system can invoke them. This allows an attacker to reassign approval tasks to arbitrary users, force or accelerate completed tasks, and enumerate all pending or finished tasks, effectively undermining segregation of duties and exposing confidential workflow data.

Affected Systems

RuoYi-Vue-Plus versions up to and including 5.6.2 are affected. The defect was remedied in commit 88d03d9, which introduced SaCheckPermission annotations on the vulnerable endpoints. The product is distributed as open-source by Dromara and is commonly used as a backend for enterprise applications.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as medium-to-high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need valid credentials to the application; the global authentication requirement is the sole barrier. Because the missing authorization spans the entire controller, a single authenticated user can perform all harmful actions, making exploitation straightforward. The practical impact includes unauthorized task manipulation, policy violation, and potential data exposure.

Generated by OpenCVE AI on June 30, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that adds SaCheckPermission annotations (commit 88d03d9) or upgrade to a version later than 5.6.2 where the issue is fixed.
  • Configure and enforce role-based access control specifically for workflow task operations, ensuring that only authorized roles can call updateAssignee, urge, and listing endpoints.
  • Review system activity logs for signs of unauthorized task reassignment or enumeration, and disable the affected endpoints on non-production environments until remediation is complete.

Generated by OpenCVE AI on June 30, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.
Title RuoYi-Vue-Plus - Missing Authorization on Workflow Task Management Endpoints
First Time appeared Dromara
Dromara ruoyi-vue-plus
Weaknesses CWE-862
CPEs cpe:2.3:a:dromara:ruoyi-vue-plus:*:*:*:*:*:*:*:*
Vendors & Products Dromara
Dromara ruoyi-vue-plus
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Dromara Ruoyi-vue-plus
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T15:56:17.884Z

Reserved: 2026-06-29T16:23:52.713Z

Link: CVE-2026-58176

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:45:05Z

Weaknesses