Executive Summary

This vulnerability, identified as CVE-2026-5529, is a broken access control issue in the Dromara lamp-cloud project affecting the function pageUser in the DefUserController component. It allows authenticated low-privilege users to remotely access and enumerate user data beyond their authorized organizational boundaries, including high-privilege and system accounts.

The root cause is a lack of row-level authorization in the SQL query used by the pageUser endpoint, which does not enforce restrictions based on the caller's employee ID, company ID, or organizational relationships. As a result, users can retrieve user profile data from other companies or organizations without needing administrative privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information across organizational boundaries. Any authenticated user with permission to access the pageUser endpoint can enumerate users outside their own organization, including super administrators and other high-privilege accounts.

The impact includes a significant confidentiality breach and broad user enumeration, which could be leveraged for further attacks or privilege escalation within the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the POST /defUser/pageUser endpoint with an authenticated low-privilege user account and checking if the response includes user data from outside the caller's organization or company.

A suggested detection method is to authenticate as a normal user with permission to access the endpoint, then send a POST request with the body {"current":1,"size":20,"model":{}} to /defUser/pageUser and observe if the response contains users such as "lamp" or "superAdmin" from other organizations.

Example command using curl:

• curl -X POST https://your-lamp-cloud-instance/defUser/pageUser -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"current":1,"size":20,"model":{}}'

If the response includes user entries beyond the authenticated user's organization, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the POST /defUser/pageUser endpoint to only trusted or administrative users until a proper fix is applied.

Additionally, monitor and audit access logs for unusual or unauthorized queries to this endpoint.

Longer term, apply the suggested remediation by implementing row-level data scope enforcement in the SQL queries and service layers, ensuring that user data returned is strictly limited to the caller's organization or company.

• Bind caller's employee ID, company ID, and department ID from authentication context to the query.
• Add joins with organizational relationship tables and enforce role-based data scope policies.
• Add server-side authorization guards for privileged or global user listing operations.

Until a patch or update is available, consider disabling or limiting the affected functionality to prevent unauthorized data exposure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated low-privilege users to access user data beyond their authorized organizational scope, including high-privilege and system accounts from other companies or organizations. This results in unauthorized disclosure of private personal information and a significant confidentiality breach.

Such unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

The lack of row-level authorization and improper access control increases the risk of violating privacy and security requirements mandated by these standards.

Useful 0 Not Useful 0