216.73.217.50

CVE-2026-58448

· Published 01/07/2026 00:16 · Author: The MITRE Corporation

Labels: CVE-2026-58448

Essential information

Published
01/07/2026 00:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
6.5 MEDIUM (v3.1) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CWE-862
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

NVD status

NVD
View on NVD