Unauthorized Sale Order Access in RuoYi-Vue-Pro

Executive Summary

CVE-2026-57950 is a broken access control vulnerability in the ruoyi-vue-pro software, specifically in the ErpSaleOrderController. The controller incorrectly enforces the permission namespace 'erp:sale-out' instead of the intended 'erp:sale-order'. This misconfiguration allows attackers who have shipment-level permissions (erp:sale-out) to gain unauthorized access to sale order operations.

Because of this incorrect permission enforcement, attackers can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders, which should be protected separately from shipment permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized users performing critical operations on sale orders, such as creating fraudulent orders, modifying prices and quantities, or deleting existing orders.

It breaks the segregation of duties between sales and warehouse operations, potentially causing financial fraud or errors within the ERP system.

The integrity and confidentiality of sale order data are compromised, which can have significant business and financial impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves incorrect permission namespace enforcement in the ErpSaleOrderController, allowing users with erp:sale-out permissions to access sale order operations improperly.

To detect this vulnerability on your system, you can audit the permissions assigned to users, specifically checking if users with only erp:sale-out permissions are able to perform create, update, delete, or read operations on sale orders.

Since the issue is related to permission misconfiguration in the application code, detection commands would involve querying the application logs or testing API endpoints with different permission sets.

• Use API calls or curl commands to test sale order endpoints (create, update, delete, read) with a user account that only has erp:sale-out permissions to see if access is granted.
• Example curl command to test read access on sale orders with erp:sale-out permissions: curl -H "Authorization: Bearer <token_with_erp:sale-out>" https://<your-erp-domain>/api/sale-order/query
• Review application logs for unauthorized access attempts or successful operations on sale orders by users who should only have shipment-level permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been fixed in commit 5d1fd70 by correcting the permission namespace from erp:sale-out to erp:sale-order in the ErpSaleOrderController.

Immediate mitigation steps include:

• Update your ruoyi-vue-pro installation to a version that includes the fix from commit 5d1fd70 or later.
• If immediate update is not possible, restrict or audit users who have erp:sale-out permissions to ensure they do not perform unauthorized sale order operations.
• Review and correct permission assignments to ensure separation between shipment-level permissions (erp:sale-out) and sale order permissions (erp:sale-order).
• Implement additional monitoring and alerting on sale order operations performed by users with shipment-level permissions.

Useful 0 Not Useful 0