CVE-2026-57950 in ruoyi-vue-proinfo

Summary

by MITRE • 06/29/2026

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 06/30/2026

The ruoyi-vue-pro framework version 2026.05 contains a critical access control vulnerability that stems from improper permission validation within the ErpSaleOrderController component. This vulnerability represents a classic case of broken access control where the system fails to properly enforce authorization boundaries, allowing malicious actors with limited privileges to escalate their access rights. The flaw manifests specifically in how the controller evaluates user permissions during sale order operations, creating a security gap that directly violates fundamental principles of least privilege and role-based access control.

The technical implementation error occurs when the ErpSaleOrderController incorrectly references the permission namespace erp:sale-out instead of the intended erp:sale-order namespace for authorization checks. This namespace mismatch creates a critical loophole where users who possess shipment-level permissions can bypass the proper sale order access controls. The vulnerability operates at the application logic level, specifically within the controller layer where authorization decisions are made, and represents a direct violation of the principle that access control mechanisms must enforce strict namespace boundaries to prevent privilege escalation.

This security flaw has significant operational implications for organizations using the ruoyi-vue-pro framework, particularly in enterprise environments where financial data integrity is paramount. Attackers exploiting this vulnerability can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders, potentially leading to data manipulation, financial loss, and compliance violations. The impact extends beyond simple data access as these unauthorized modifications could affect inventory tracking, revenue reporting, and customer billing processes, creating cascading effects throughout the business operations.

The vulnerability aligns with CWE-285, which specifically addresses improper authorization in software systems, and demonstrates characteristics consistent with ATT&CK technique T1078.004 related to valid accounts and privilege escalation through access control weaknesses. Organizations utilizing this framework should immediately implement mitigations including code reviews to correct the permission namespace references, enforcement of proper authorization checks, and implementation of automated security testing procedures. The fix requires modifying the ErpSaleOrderController to properly enforce the erp:sale-order namespace instead of erp:sale-out, ensuring that all sale order operations are appropriately validated against the correct permission scope.

Security teams should conduct comprehensive audits of similar permission structures throughout the application codebase to identify potential duplicate vulnerabilities, as this type of namespace confusion often occurs in complex enterprise applications. The remediation process must include thorough testing of authorization boundaries and implementation of proper logging mechanisms to detect unauthorized access attempts. Additionally, organizations should consider implementing additional security controls such as role-based access control enforcement, automated privilege validation, and regular security assessments to prevent similar issues from emerging in the future.

Responsible

VulnCheck

Reservation

06/26/2026

Disclosure

06/29/2026

Moderation

accepted

CPE

ready

EPSS

0.00294

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!