CVE-2026-58176
Received Received - Intake

Unauthorized Workflow Task Management in RuoYi-Vue-Plus

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assigned role, can therefore reassign workflow approval tasks to arbitrary users via updateAssignee (defeating segregation of duties in the approval process), urge arbitrary tasks, and enumerate all pending and finished tasks via the pageByAllTaskWait and pageByAllTaskFinish listing endpoints. The issue was resolved by adding permission identifiers (SaCheckPermission) to these endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58176
EUVD
EUVD-2026-40356

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ruoyi vue_plus From 5.6.2 (inc)
dromara ruoyi_vue_plus to 5.6.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58176 is a missing authorization vulnerability in RuoYi-Vue-Plus versions up to 5.6.2. The workflow task management endpoints under /workflow/task (FlwTaskController) do not have proper permission checks. Although global authentication is required, any authenticated user can access these endpoints regardless of their assigned role.

This lack of authorization allows users to reassign workflow approval tasks to arbitrary users, urge arbitrary tasks, and list all pending and finished tasks. Essentially, it defeats segregation of duties in the approval process by allowing unauthorized task management actions.

The issue was fixed by adding permission identifiers (SaCheckPermission) to the affected endpoints, ensuring only users with the appropriate permissions can perform these actions.

Impact Analysis

This vulnerability can lead to unauthorized access and manipulation of workflow tasks by any authenticated user, regardless of their role.

  • Reassignment of workflow approval tasks to arbitrary users, which breaks segregation of duties.
  • Ability to urge or push arbitrary tasks, potentially disrupting workflow processes.
  • Enumeration of all pending and finished tasks, exposing potentially sensitive workflow information.

Overall, this can lead to privilege escalation, unauthorized task management, and potential workflow process abuse.

Detection Guidance

This vulnerability can be detected by checking if the workflow task management endpoints under /workflow/task are accessible to any authenticated user without proper permission checks.

You can attempt to access or invoke the following endpoints as an authenticated user to test for unauthorized access:

  • Reassign workflow approval tasks via the updateAssignee endpoint.
  • Urge arbitrary tasks.
  • Enumerate all pending tasks using the pageByAllTaskWait endpoint.
  • Enumerate all finished tasks using the pageByAllTaskFinish endpoint.

For example, you can use curl commands to test these endpoints by authenticating as a normal user and attempting to perform these actions. If these actions succeed without permission errors, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to apply the fix introduced in commit 88d03d9 which adds permission checks to the workflow task management endpoints.

This involves adding the @SaCheckPermission annotation with appropriate permission identifiers such as "workflow:task:list" and "workflow:task:edit" to the affected API endpoints in the FlwTaskController.

Additionally, update the database permission entries in the sys_menu table to include these new permission identifiers, ensuring that only authorized users can access or modify workflow tasks.

Until the fix is applied, restrict access to the /workflow/task endpoints to trusted users only or disable these endpoints if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart