CVE-2026-58176

Source
https://cve.org/CVERecord?id=CVE-2026-58176
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58176.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58176
Published
2026-06-30T15:56:17.884Z
Modified
2026-07-15T01:49:19.294090891Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
RuoYi-Vue-Plus - Missing Authorization on Workflow Task Management Endpoints
Details

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58176.json"
}
References

Affected packages

Git / github.com/dromara/ruoyi-vue-plus

Affected ranges

Type
GIT
Repo
https://github.com/dromara/ruoyi-vue-plus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.6.2"
        }
    ]
}

Affected versions

v5.*
v5.0.0
v5.1.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.6.0
v5.6.1
v5.6.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58176.json"