CVE-2026-7710 - Vulnerability Details

- YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication

Description

A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-03

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the YunaiV yudao-cloud component Ruoyi-Vue-Pro arises from the doFilterInternal method in JwtAuthenticationTokenFilter.java, where a crafted mock-token value can be passed as an argument. By manipulating this parameter, an attacker can bypass authentication controls and gain the privileges of a legitimate user. This represents the classic CWE-287 vulnerability, where the system fails to properly authenticate credentials, leading to unauthorized access without direct exploitation of other system components.

Affected Systems

Versioned binaries of YunaiV yudao-cloud up to and including 3.8.0 are affected. The weakness specifically targets the code path inside JwtAuthenticationTokenFilter.java of the Ruoyi-Vue-Pro framework, implying that any deployment of this library within that version range is at risk.

Risk and Exploitability

The CVSS score of 6.9 classifies the defect as a moderate severity issue, though the public availability of a working exploit raises immediate concern. With no EPSS score available and the vulnerability not listed in CISA’s KEV catalog, the estimated exploitation probability remains uncertain, yet the remote nature of the attack vector and related authentication bypass allow an adversary to impersonate users over the network. The likely attack path involves sending a crafted HTTP request containing a manipulated mock-token parameter to the authentication endpoint, which then accepts the request and authenticates the attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YunaiV

yudao-cloud

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—
`3.3`	affected	—
`3.4`	affected	—
`3.5`	affected	—
`3.6`	affected	—
`3.7`	affected	—
`3.8.0`	affected	—

No data.

Vendor Product Confidence Versions

Yunaiv

Yudao-cloud

100%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`3.1`	affected	generic	—
`3.2`	affected	generic	—
`3.3`	affected	generic	—
`3.4`	affected	generic	—
`3.5`	affected	generic	—
`3.6`	affected	generic	—
`3.7`	affected	generic	—
`3.8.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YunaiV yudao-cloud to a version newer than 3.8.0 that contains the fixed JwtAuthenticationTokenFilter.java implementation.
Until an upgrade is possible, configure the application firewall or reverse proxy to reject or strip any requests containing the mock-token query parameter from the authentication endpoint.
Enforce strict validation of JWT tokens by checking signatures, issuer, audience, and expiration stamps before accepting any authentication request, thereby preventing tampered tokens from being accepted.

Generated by OpenCVE AI on May 4, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/9str0IL/CVE/issues/5
https://vuldb.com/submit/806493
https://vuldb.com/vuln/360886
https://vuldb.com/vuln/360886/cti

History

Mon, 04 May 2026 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yunaiv Yunaiv yudao-cloud
Vendors & Products		Yunaiv Yunaiv yudao-cloud

Sun, 03 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication
Weaknesses		CWE-287
References		https://github.com/9str0IL/CVE/issues/5 https://vuldb.com/submit/806493 https://vuldb.com/vuln/360886 https://vuldb.com/vuln/360886/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Yunaiv Yudao-cloud

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-03T23:15:17.816Z

Updated: 2026-05-03T23:15:17.816Z

Reserved: 2026-05-03T07:38:31.974Z

Link: CVE-2026-7710

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T00:16:39.633

Modified: 2026-05-04T00:16:39.633

Link: CVE-2026-7710

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T01:00:05Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object