Description
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the OAuth2TokenServiceImpl component of YunaiV yudao-cloud, where the getAccessToken method neglects to verify authentication properly before issuing tokens. An attacker can craft requests that satisfy the method's pre‑conditions yet sidestep all access controls, resulting in the issuance of access tokens that grant the attacker unauthorized access to protected system resources.

Affected Systems

All instances of YunaiV yudao-cloud running any version up to and including 2026.01 are affected. The vulnerability is confined to the yudao-module-system-biz module, specifically the OAuth2TokenServiceImpl.java file.

Risk and Exploitability

The CVSS score of 6.9 signifies a moderate severity vulnerability. EPSS data is not available and the issue is not listed in CISA's KEV catalog, but the description notes that the exploitation code is publicly available and can be triggered remotely. The lack of vendor response further heightens the risk until a definitive fix is released.

Generated by OpenCVE AI on May 3, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • When a vendor patch becomes available, update YunaiV yudao‑cloud to the patched version immediately.
  • If no patch is currently released, limit exposure by blocking or restricting access to the OAuth2 token endpoint through firewall rules or an API gateway that enforces additional authentication controls before reaching getAccessToken.
  • Continuously review authentication logs for abnormal or repeated token requests and configure alerts for unusual activity patterns.
  • Contact the vendor to request an estimated remediation timeline, and in the interim, apply additional safeguards such as enforcing client credentials or multi‑factor authentication for any OAuth flows in use.

Generated by OpenCVE AI on May 3, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Yunaiv
Yunaiv yudao-cloud
Vendors & Products Yunaiv
Yunaiv yudao-cloud

Sun, 03 May 2026 04:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yunaiv Yudao-cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T04:15:10.929Z

Reserved: 2026-05-02T08:39:00.470Z

Link: CVE-2026-7679

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T05:15:59.207

Modified: 2026-05-03T05:15:59.207

Link: CVE-2026-7679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T05:30:05Z

Weaknesses