The ruoyi-vue-pro product through version 2026.05 contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can exploit this by sending requests with arbitrary sequential numeric ID parameters to retrieve follow-up records belonging to other users. This bypasses intended access controls, exposing sensitive data such as follow-up notes, file attachments, scheduling details, and business entity references. The issue was fixed in commit c779a47, but no explicit vendor advisory or patch details are provided in the input data. The CVSS 4.0 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required beyond authentication, and high impact on confidentiality.

Exploitation of this vulnerability allows authenticated users to read any follow-up record in the CRM module by manipulating the ID parameter. This leads to unauthorized disclosure of sensitive information including follow-up notes, file attachments, scheduling information, and references to business entities. The impact is primarily on confidentiality, with no indication of integrity or availability effects. There are no known exploits in the wild according to the provided data.

The vulnerability was fixed in commit c779a47. Since no official vendor advisory or patch link is provided, users should apply the fix from the referenced commit or update to a version later than 2026.05 that includes this fix. Patch status is not yet confirmed by a vendor advisory; therefore, users should verify with the vendor or official sources for the current remediation guidance before deployment. Until patched, restrict access to the affected endpoint to trusted users only and monitor for suspicious access patterns if possible.