CVE-2025-70986
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-01-30

Assigner: MITRE

Description
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70986
EUVD
EUVD-2026-4227
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ruoyi ruoyi 4.8.1
ruoyi ruoyi 4.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70986 is an access control vulnerability in the selectDept function of the RuoYi project. This function allows unauthorized users to access sensitive department data because it lacks proper permission checks that are present in other similar interfaces. Specifically, the selectDeptTree method does not enforce the @RequirePermission annotation, which normally restricts access to authorized users only. As a result, attackers can bypass authorization controls and view department-related information they should not have access to. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive department data within the RuoYi system. Attackers exploiting this flaw can access confidential organizational information without proper permissions, potentially leading to information leakage, privacy violations, and increased risk of further attacks due to exposed internal data. [1, 2]

Detection Guidance

You can detect this vulnerability by attempting to access the vulnerable endpoint without proper authorization and observing if sensitive department data is returned. Specifically, test HTTP GET requests to the endpoints /selectDeptTree/{deptId} or /selectDeptTree/{deptId}/{excludeId} on the RuoYi v4.8.2 system. For example, use curl commands like: curl -i -X GET http://<target>/selectDeptTree/1 to see if department data is accessible without authentication or permission checks. If data is returned without requiring permissions, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /selectDeptTree endpoints by implementing proper permission checks similar to other department-related interfaces. This can be done by adding authorization annotations such as @RequirePermission("system:dept:edit") to the selectDeptTree method to enforce access control. Additionally, restrict access at the network or application firewall level to prevent unauthorized users from reaching these endpoints until a patch or update is applied. [1, 2]

Compliance Impact

The vulnerability allows unauthorized access to sensitive department data due to missing permission checks, which could lead to unauthorized disclosure of sensitive information. This unauthorized data access may result in non-compliance with data protection regulations such as GDPR and HIPAA that require strict access controls to protect sensitive information. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart