No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Wed, 01 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 03:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Yunaiv
Yunaiv yudao-cloud |
|
| Vendors & Products |
Yunaiv
Yunaiv yudao-cloud |
Tue, 30 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification. | |
| Title | yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T14:53:31.896Z
Reserved: 2026-06-30T19:09:07.025Z
Link: CVE-2026-58448
Updated: 2026-07-01T14:53:27.573Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T03:30:05Z