CVE-2026-2819 identifies a missing authorization vulnerability in the Dromara RuoYi-Vue-Plus software, specifically affecting versions 5.5.0 through 5.5.3. The flaw exists in the Workflow Module's SaServletFilter function, particularly in the endpoint /workflow/instance/deleteByInstanceIds. This endpoint is responsible for deleting workflow instances, but due to improper authorization checks, an attacker can remotely invoke this function without the necessary permissions. The vulnerability does not require user interaction or prior authentication, making it remotely exploitable over the network with low complexity. The public availability of an exploit increases the likelihood of exploitation. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as unauthorized deletion of workflow instances can disrupt business processes and potentially expose sensitive workflow data. The vendor was contacted but did not respond, and no patches have been published yet. The CVSS 4.0 vector indicates no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This vulnerability highlights a critical lapse in access control enforcement within the workflow management component of RuoYi-Vue-Plus.

The missing authorization vulnerability allows remote attackers to delete workflow instances without permission, potentially disrupting critical business processes and causing data loss or corruption. This can lead to operational downtime, loss of trust in the affected system, and indirect exposure of sensitive workflow-related information. Organizations relying on RuoYi-Vue-Plus for workflow automation may experience degraded service availability and integrity issues. While the impact on confidentiality is limited, the integrity and availability impacts can affect organizational productivity and compliance with regulatory requirements. The existence of a public exploit increases the risk of opportunistic attacks, especially in environments where the software is exposed to untrusted networks. The lack of vendor response and patches exacerbates the risk, leaving organizations vulnerable until mitigations or updates are applied.

Organizations should immediately audit access controls around the /workflow/instance/deleteByInstanceIds endpoint and restrict access to trusted administrators only. Implement network segmentation and firewall rules to limit exposure of the affected service to untrusted networks. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized requests targeting the vulnerable endpoint. Monitor logs for unusual deletion requests or patterns indicative of exploitation attempts. If possible, disable or restrict the Workflow Module functionality until a patch or official fix is available. Engage with the vendor or community to obtain updates or patches as they become available. Additionally, conduct thorough security assessments of other endpoints in the Workflow Module to identify similar authorization weaknesses. Maintain regular backups of workflow data to enable recovery in case of unauthorized deletions.