CVE-2026-58448 MEDIUM

CVE-2026-58448: yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

Vendor Yunaiv
Product yudao-cloud
Weakness CWE-862 · Missing authorization
Published June 30, 2026
Last update July 1, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated