CVE-2026-2819
Authorization Bypass in Dromara RuoYi-Vue-Plus Workflow Module
Publication date: 2026-02-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dromara | ruoyi-vue-plus | to 5.5.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2819 is an authorization vulnerability in Dromara RuoYi-Vue-Plus versions up to 5.5.3, specifically in the Workflow Module's function SaServletFilter within the /workflow/instance/deleteByInstanceIds endpoint."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because proper authorization checks are missing, allowing unauthorized users to perform actions they should not be able to, such as deleting workflow instances.'}, {'type': 'paragraph', 'content': 'Authenticated users with low privileges can bypass access controls on critical API endpoints due to the absence of permission enforcement annotations and insufficient security filtering.'}, {'type': 'paragraph', 'content': 'The exploit is publicly available, easy to execute remotely, and can lead to unauthorized deletion of workflow instances.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized users, even those with low privileges, to delete workflow instances and perform other sensitive operations without proper permission.'}, {'type': 'paragraph', 'content': "Such unauthorized actions can compromise the confidentiality, integrity, and availability of your system's workflow data."}, {'type': 'paragraph', 'content': 'An attacker can remotely exploit this flaw to disrupt business processes, delete important data, or interfere with task management.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send unauthorized DELETE requests to the endpoint /workflow/instance/deleteByInstanceIds and observing if the request succeeds without proper authorization.'}, {'type': 'paragraph', 'content': 'A proof of concept involves an authenticated low-privileged user sending a DELETE HTTP request to this endpoint and receiving a 200 OK response, indicating missing authorization checks.'}, {'type': 'list_item', 'content': 'Use a command-line tool like curl to send a DELETE request: curl -X DELETE https://<target>/workflow/instance/deleteByInstanceIds -H "Authorization: Bearer <low-privilege-token>"'}, {'type': 'list_item', 'content': 'Check server logs for successful DELETE requests to /workflow/instance/deleteByInstanceIds from users without sufficient privileges.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
As of the disclosure date, no known patches or mitigations are available from the vendor.
Immediate mitigation steps include considering replacing the affected product with an alternative that does not have this vulnerability.
Additionally, restrict access to the vulnerable endpoint /workflow/instance/deleteByInstanceIds by network controls or web application firewalls to prevent unauthorized requests.
Monitor and audit usage of the Workflow Module endpoints closely to detect any unauthorized activity.