Submit #782103: Dromara lamp-cloud 5.8.1 Broken object property level authorizationinfo

TitleDromara lamp-cloud 5.8.1 Broken object property level authorization
Description## Summary A broken access control vulnerability exists in `lamp-cloud` at endpoint `POST /defUser/pageUser` (`DefUserController#pageUser`). An authenticated low-privilege user can enumerate users outside their own organization/company scope. This appears to be a row-level authorization/data-scope failure (BOLA/IDOR-style read exposure), not merely an endpoint authentication issue.
Source⚠️ https://github.com/dromara/lamp-cloud/issues/403
User
 Anonymous User
Submission03/18/2026 05:05 (4 months ago)
Moderation04/04/2026 08:27 (17 days later)
StatusAccepted
VulDB entry355282 [Dromara lamp-cloud up to 5.8.1 DefUserController /defUser/pageUser improper authorization]
Points19

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!