CVE-2026-58176 in RuoYi-Vue-Plusinfo

Summary

by MITRE • 06/30/2026

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/30/2026

The RuoYi-Vue-Plus framework version 5.6.2 and earlier contains a critical authorization vulnerability that fundamentally undermines workflow security controls through improper access control implementation. This vulnerability exists within the workflow task management component where the FlwTaskController exposes multiple sensitive endpoints without proper authorization checks, creating a path for unauthorized privilege escalation and process manipulation. The flaw represents a direct violation of the principle of least privilege and demonstrates a failure in implementing proper role-based access controls that should govern workflow approval processes.

The technical implementation flaw stems from the absence of any authorization annotations at either class or method level within the FlwTaskController. This controller exposes several critical endpoints including updateAssignee for task reassignment, pageByAllTaskWait for enumerating pending tasks, and pageByAllTaskFinish for accessing completed workflows. Without explicit permission checks, these endpoints rely solely on global authentication mechanisms that only verify user credentials rather than validating user authorization to perform specific actions. This architectural oversight creates a scenario where any authenticated user can manipulate workflow processes regardless of their assigned roles or responsibilities.

The operational impact of this vulnerability is severe and directly compromises business process integrity and regulatory compliance. An authenticated attacker can reassign workflow approval tasks to arbitrary users, effectively bypassing segregation of duties controls that are fundamental to preventing fraud and ensuring proper governance. This capability allows for malicious actors to manipulate approval workflows, potentially enabling unauthorized transactions, data modifications, or process bypasses that could result in significant financial loss or compliance violations. The enumeration capabilities further amplify the risk by allowing attackers to discover workflow states and identify potential targets for exploitation.

The vulnerability aligns with CWE-285 which addresses improper authorization issues in software systems, specifically covering scenarios where access control checks are missing or insufficient. This flaw also maps to ATT&CK technique T1078 which involves legitimate credentials usage for persistence and privilege escalation. The lack of proper authorization controls creates a persistent security weakness that can be exploited repeatedly without detection. The fix implemented through commit 88d03d9 addresses this by adding SaCheckPermission annotations to the affected endpoints, which properly integrates with the framework's existing permission system to validate user roles and privileges before granting access to workflow management functions.

Organizations utilizing RuoYi-Vue-Plus must immediately apply the patch that introduces proper authorization checks to prevent unauthorized workflow manipulation. The mitigation strategy should include comprehensive testing of the newly enforced permissions to ensure legitimate users retain appropriate access while unauthorized individuals are properly blocked. Security teams should also conduct thorough audits of other controllers within the framework to identify similar authorization gaps that may exist in other components. This vulnerability demonstrates the critical importance of implementing defense-in-depth security measures, particularly around workflow and approval processes where proper authorization controls directly impact business integrity and compliance requirements.

The remediation approach taken by the development team represents a sound security practice that aligns with industry standards for access control implementation. By introducing explicit permission checks through the SaCheckPermission annotations, the framework now properly validates user authorization before permitting access to sensitive workflow operations. This solution maintains system functionality while ensuring appropriate separation of duties and preventing privilege escalation attacks. Organizations should also consider implementing additional monitoring and logging around workflow operations to detect anomalous access patterns that may indicate exploitation attempts against similar vulnerabilities in other components.

Responsible

VulnCheck

Reservation

06/29/2026

Disclosure

06/30/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!