CVE-2026-5529
Improper Authorization in Dromara lamp-cloud DefUserController
Publication date: 2026-04-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dromara | lamp-cloud | to 5.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2026-5529, is a broken access control issue in the Dromara lamp-cloud project affecting the function pageUser in the DefUserController component. It allows authenticated low-privilege users to remotely access and enumerate user data beyond their authorized organizational boundaries, including high-privilege and system accounts.
The root cause is a lack of row-level authorization in the SQL query used by the pageUser endpoint, which does not enforce restrictions based on the caller's employee ID, company ID, or organizational relationships. As a result, users can retrieve user profile data from other companies or organizations without needing administrative privileges.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information across organizational boundaries. Any authenticated user with permission to access the pageUser endpoint can enumerate users outside their own organization, including super administrators and other high-privilege accounts.
The impact includes a significant confidentiality breach and broad user enumeration, which could be leveraged for further attacks or privilege escalation within the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the POST /defUser/pageUser endpoint with an authenticated low-privilege user account and checking if the response includes user data from outside the caller's organization or company.
A suggested detection method is to authenticate as a normal user with permission to access the endpoint, then send a POST request with the body {"current":1,"size":20,"model":{}} to /defUser/pageUser and observe if the response contains users such as "lamp" or "superAdmin" from other organizations.
Example command using curl:
- curl -X POST https://your-lamp-cloud-instance/defUser/pageUser -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"current":1,"size":20,"model":{}}'
If the response includes user entries beyond the authenticated user's organization, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the POST /defUser/pageUser endpoint to only trusted or administrative users until a proper fix is applied.
Additionally, monitor and audit access logs for unusual or unauthorized queries to this endpoint.
Longer term, apply the suggested remediation by implementing row-level data scope enforcement in the SQL queries and service layers, ensuring that user data returned is strictly limited to the caller's organization or company.
- Bind caller's employee ID, company ID, and department ID from authentication context to the query.
- Add joins with organizational relationship tables and enforce role-based data scope policies.
- Add server-side authorization guards for privileged or global user listing operations.
Until a patch or update is available, consider disabling or limiting the affected functionality to prevent unauthorized data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated low-privilege users to access user data beyond their authorized organizational scope, including high-privilege and system accounts from other companies or organizations. This results in unauthorized disclosure of private personal information and a significant confidentiality breach.
Such unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
The lack of row-level authorization and improper access control increases the risk of violating privacy and security requirements mandated by these standards.