CVE-2026-58176: Missing Authorization in dromara RuoYi-Vue-Plus
RuoYi-Vue-Plus versions up to 5.6.2 have a missing authorization vulnerability in the workflow task management endpoints under /workflow/task (FlwTaskController). These endpoints lack class-level or method-level permission checks and rely only on global authentication. As a result, any authenticated user can reassign workflow approval tasks to arbitrary users, urge tasks, and enumerate all pending and finished tasks, bypassing intended segregation of duties. The issue was fixed by adding permission identifiers (SaCheckPermission) to these endpoints.
AI Analysis
Technical Summary
CVE-2026-58176 describes a missing authorization vulnerability in dromara's RuoYi-Vue-Plus product through version 5.6.2. The workflow task management controller (FlwTaskController) exposes endpoints without specific permission checks, relying solely on global authentication. This allows any authenticated user, regardless of role, to perform unauthorized actions such as reassigning approval tasks, urging tasks, and listing all tasks. The vulnerability undermines segregation of duties in the approval process. The fix was implemented by adding SaCheckPermission annotations to enforce proper authorization on these endpoints.
Potential Impact
The vulnerability allows any authenticated user to reassign workflow approval tasks to arbitrary users, urge arbitrary tasks, and enumerate all pending and finished tasks. This defeats segregation of duties controls in the workflow approval process, potentially enabling unauthorized task manipulation and information disclosure. There is no impact on confidentiality, but integrity is affected due to unauthorized task reassignment. Availability is not impacted.
Mitigation Recommendations
A fix is available and was implemented by adding permission identifiers (SaCheckPermission) to the affected endpoints. Users should upgrade to a version later than 5.6.2 where this fix is applied. Since no official remediation level or patch link is provided, verify the fix by checking the vendor's repository or advisory for commit 88d03d9 or later versions. Until patched, restrict access to the workflow task endpoints to trusted users only.
CVE-2026-58176: Missing Authorization in dromara RuoYi-Vue-Plus
Description
RuoYi-Vue-Plus versions up to 5.6.2 have a missing authorization vulnerability in the workflow task management endpoints under /workflow/task (FlwTaskController). These endpoints lack class-level or method-level permission checks and rely only on global authentication. As a result, any authenticated user can reassign workflow approval tasks to arbitrary users, urge tasks, and enumerate all pending and finished tasks, bypassing intended segregation of duties. The issue was fixed by adding permission identifiers (SaCheckPermission) to these endpoints.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58176 describes a missing authorization vulnerability in dromara's RuoYi-Vue-Plus product through version 5.6.2. The workflow task management controller (FlwTaskController) exposes endpoints without specific permission checks, relying solely on global authentication. This allows any authenticated user, regardless of role, to perform unauthorized actions such as reassigning approval tasks, urging tasks, and listing all tasks. The vulnerability undermines segregation of duties in the approval process. The fix was implemented by adding SaCheckPermission annotations to enforce proper authorization on these endpoints.
Potential Impact
The vulnerability allows any authenticated user to reassign workflow approval tasks to arbitrary users, urge arbitrary tasks, and enumerate all pending and finished tasks. This defeats segregation of duties controls in the workflow approval process, potentially enabling unauthorized task manipulation and information disclosure. There is no impact on confidentiality, but integrity is affected due to unauthorized task reassignment. Availability is not impacted.
Mitigation Recommendations
A fix is available and was implemented by adding permission identifiers (SaCheckPermission) to the affected endpoints. Users should upgrade to a version later than 5.6.2 where this fix is applied. Since no official remediation level or patch link is provided, verify the fix by checking the vendor's repository or advisory for commit 88d03d9 or later versions. Until patched, restrict access to the workflow task endpoints to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-29T16:23:52.713Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f43127e9c79719185f92
Added to database: 06/30/2026, 16:52:01 UTC
Last enriched: 06/30/2026, 17:07:25 UTC
Last updated: 06/30/2026, 18:16:38 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.