Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2819 is an authorization vulnerability in Dromara RuoYi-Vue-Plus versions up to 5.5.3, specifically in the Workflow Module's function SaServletFilter within the /workflow/instance/deleteByInstanceIds endpoint."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because proper authorization checks are missing, allowing unauthorized users to perform actions they should not be able to, such as deleting workflow instances.'}, {'type': 'paragraph', 'content': 'Authenticated users with low privileges can bypass access controls on critical API endpoints due to the absence of permission enforcement annotations and insufficient security filtering.'}, {'type': 'paragraph', 'content': 'The exploit is publicly available, easy to execute remotely, and can lead to unauthorized deletion of workflow instances.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized users, even those with low privileges, to delete workflow instances and perform other sensitive operations without proper permission.'}, {'type': 'paragraph', 'content': "Such unauthorized actions can compromise the confidentiality, integrity, and availability of your system's workflow data."}, {'type': 'paragraph', 'content': 'An attacker can remotely exploit this flaw to disrupt business processes, delete important data, or interfere with task management.'}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send unauthorized DELETE requests to the endpoint /workflow/instance/deleteByInstanceIds and observing if the request succeeds without proper authorization.'}, {'type': 'paragraph', 'content': 'A proof of concept involves an authenticated low-privileged user sending a DELETE HTTP request to this endpoint and receiving a 200 OK response, indicating missing authorization checks.'}, {'type': 'list_item', 'content': 'Use a command-line tool like curl to send a DELETE request: curl -X DELETE https://<target>/workflow/instance/deleteByInstanceIds -H "Authorization: Bearer <low-privilege-token>"'}, {'type': 'list_item', 'content': 'Check server logs for successful DELETE requests to /workflow/instance/deleteByInstanceIds from users without sufficient privileges.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

As of the disclosure date, no known patches or mitigations are available from the vendor.

Immediate mitigation steps include considering replacing the affected product with an alternative that does not have this vulnerability.

Additionally, restrict access to the vulnerable endpoint /workflow/instance/deleteByInstanceIds by network controls or web application firewalls to prevent unauthorized requests.

Monitor and audit usage of the Workflow Module endpoints closely to detect any unauthorized activity.

Useful 0 Not Useful 0