yudao‑cloud versions before 2026.06 contain a broken access control flaw in the BPM module that lets any authenticated user retrieve data from arbitrary process instances. The flaw is caused by an unprotected GET endpoint that accepts a caller‑controlled process‑instance identifier without performing an authorization check and is missing the @PreAuthorize annotation. This weakness, identified as CWE‑862, allows attackers to read sensitive workflow information—including submitted form data, approver identities, comments, and the underlying BPMN XML—without verifying ownership or tenant membership.

The affected product is YunaiV yudao‑cloud in all releases older than 2026.06. The specific vulnerable components are the process‑instance API endpoints in the BPM module. No other product or version information is provided, but any deployment of yudao‑cloud using a version less than 2026.06 is susceptible.

The CVSS score of 7.1 indicates a moderate to high severity, and while no EPSS score is available and the vulnerability is not listed in CISA KEV, the flaw can be exploited by any authenticated user with knowledge of a process‑instance identifier. Attackers can send a standard HTTP GET request to the exposed endpoint, bypassing all ownership checks, and retrieve confidential data. Because no exploit code is required beyond the legitimate credentials, the risk comes primarily from the lack of proper authorization enforcement.