Missing Authorization in RuoYi-Vue-Pro CRM Module

Executive Summary

CVE-2026-57949 is a missing authorization vulnerability in the ruoyi-vue-pro CRM module affecting versions up to 2026.05. It exists in the GET /admin-api/crm/follow-up-record/get endpoint, where authenticated users can access any follow-up record by manipulating sequential numeric IDs.

This flaw allows attackers to send requests with arbitrary ID parameters to read other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive CRM data. Attackers with valid authentication can enumerate and access confidential follow-up records belonging to other users.

• Exposure of private follow-up notes and business communications.
• Access to file attachments and scheduling details related to other users.
• Leakage of business entity references, potentially revealing confidential sales strategies and client interactions.

Such unauthorized access can compromise business confidentiality and competitive intelligence.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the GET /admin-api/crm/follow-up-record/get endpoint for sequential numeric ID parameters that attempt to access follow-up records.

A practical detection method is to analyze authenticated user requests that iterate through sequential IDs to retrieve follow-up records, which indicates exploitation attempts.

For example, you can use network monitoring tools or web server logs to identify repeated requests like:

• curl -H "Authorization: Bearer <token>" "https://<your-domain>/admin-api/crm/follow-up-record/get?id=1"
• curl -H "Authorization: Bearer <token>" "https://<your-domain>/admin-api/crm/follow-up-record/get?id=2"

Automated scripts or tools can be used to scan for unauthorized access by iterating over ID values and checking if records are returned without proper authorization.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update ruoyi-vue-pro to a version that includes the fix from commit c779a47, which adds proper authorization checks to the GET /admin-api/crm/follow-up-record/get endpoint.

If updating immediately is not possible, restrict access to the vulnerable endpoint to only trusted users and monitor for suspicious activity involving sequential ID enumeration.

Additionally, implement or enforce authorization checks that verify the requesting user's permission to access the specific follow-up record before returning any data.

Review and apply the patch described in commit c779a47, which includes adding READ permission validation for the associated CRM business object and throwing exceptions when unauthorized access is attempted.

Useful 0 Not Useful 0