Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58176

CVE-2026-58176: RuoYi-Vue-Plus Auth Bypass Vulnerability

CVE-2026-58176 is an authentication bypass flaw in RuoYi-Vue-Plus that allows any authenticated user to manipulate workflow tasks and defeat approval controls. This post covers technical details, affected versions, and fixes.

Published:

CVE-2026-58176 Overview

CVE-2026-58176 is a missing authorization vulnerability [CWE-862] in RuoYi-Vue-Plus, an open-source rapid development platform based on Spring Boot and Vue. The FlwTaskController exposes workflow task management endpoints under /workflow/task without any permission check. The controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user can reassign workflow approval tasks, urge arbitrary tasks, and enumerate all pending and finished tasks. The issue affects RuoYi-Vue-Plus through version 5.6.2 and was fixed in commit 88d03d9.

Critical Impact

Authenticated low-privilege users can reassign workflow approval tasks to arbitrary users, defeating segregation of duties in approval processes and enabling manipulation of business-critical workflows.

Affected Products

  • RuoYi-Vue-Plus through version 5.6.2
  • FlwTaskController in ruoyi-modules/ruoyi-workflow
  • Workflow task management endpoints under /workflow/task

Discovery Timeline

  • 2026-06-30 - CVE CVE-2026-58176 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-58176

Vulnerability Analysis

RuoYi-Vue-Plus uses the Sa-Token authorization framework, which enforces permission checks via the @SaCheckPermission annotation. The FlwTaskController class handling workflow task endpoints omits these annotations entirely. As a result, permission gating relies solely on the global authentication filter, and any logged-in user passes the check.

Three endpoint groups are directly impacted. The updateAssignee endpoint allows reassignment of workflow approval tasks to arbitrary users, breaking segregation of duties. The task urging endpoint permits any user to trigger notifications on tasks they do not own. The pageByAllTaskWait and pageByAllTaskFinish listing endpoints expose all pending and finished workflow tasks across the platform.

Root Cause

The root cause is a missing authorization control [CWE-862]. The developers implemented role-based menu identifiers such as workflow:task:list and workflow:task:edit in the frontend menu configuration but never enforced these identifiers at the controller layer. The backend endpoints therefore trust any authenticated session regardless of assigned role.

Attack Vector

An attacker requires only valid credentials for any account on the target instance. They can then issue HTTP requests directly to the workflow task endpoints, bypassing the frontend UI that would otherwise hide these functions from unprivileged users. The attack requires no user interaction and executes over the network.

java
// Security patch applied to FlwTaskController.java
 package org.dromara.workflow.controller;
 
+import cn.dev33.satoken.annotation.SaCheckPermission;
 import lombok.RequiredArgsConstructor;
 import org.dromara.common.core.domain.R;
 import org.dromara.common.core.domain.dto.StartProcessReturnDTO;

Source: GitHub commit 88d03d9

The patch imports the SaCheckPermission annotation and applies it to the previously unprotected endpoints, enforcing permission identifiers such as workflow:task:list and workflow:task:edit at the controller layer.

Detection Methods for CVE-2026-58176

Indicators of Compromise

  • Unexpected POST requests to /workflow/task/updateAssignee originating from user accounts without workflow administration roles.
  • GET requests to /workflow/task/pageByAllTaskWait or /workflow/task/pageByAllTaskFinish from accounts that do not appear in workflow administrator groups.
  • Audit log entries showing workflow task assignee changes not initiated by an authorized approver.

Detection Strategies

  • Review application access logs for authenticated requests to /workflow/task/* endpoints and correlate the requester's role against expected workflow permissions.
  • Deploy web application firewall rules that log all requests to the workflow task management path and flag those originating from non-administrative user sessions.
  • Compare workflow task assignee change events against role assignments in the sys_user_role table to identify unauthorized reassignments.

Monitoring Recommendations

  • Enable verbose HTTP request logging on the RuoYi-Vue-Plus application server, including authenticated user identity, endpoint path, and response status.
  • Alert on any change to workflow task assignees where the acting user lacks the workflow:task:edit permission identifier.
  • Monitor for enumeration patterns such as sequential pagination requests to pageByAllTaskWait from a single user session.

How to Mitigate CVE-2026-58176

Immediate Actions Required

  • Upgrade RuoYi-Vue-Plus to the release containing commit 88d03d9 or later, which adds SaCheckPermission annotations to the affected endpoints.
  • Audit existing user accounts and revoke unnecessary access to workflow modules until the patch is applied.
  • Review workflow audit trails for unauthorized assignee changes performed since the vulnerable version was deployed.

Patch Information

The vulnerability is resolved in commit 88d03d9 of the dromara/RuoYi-Vue-Plus repository. The fix introduces @SaCheckPermission annotations on FlwTaskController methods and adds new menu permission identifiers, including workflow:task:list and workflow:task:edit, to the SQL initialization scripts. See the VulnCheck advisory for full advisory details.

Workarounds

  • Restrict network access to the /workflow/task/* endpoints via a reverse proxy or WAF, allowing only source IPs used by workflow administrators.
  • Apply a custom Spring interceptor that enforces role checks on the FlwTaskController request mappings until the upstream patch can be deployed.
  • Temporarily disable the workflow module for non-administrative users by revoking the parent workflow menu assignment in the sys_role_menu table.
bash
# Verify patched menu permission identifiers exist in the database
mysql -u ruoyi -p ry-vue -e "SELECT menu_id, menu_name, perms FROM sys_menu WHERE perms IN ('workflow:task:list','workflow:task:edit');"

# Confirm the running application includes the fix commit
git -C /opt/RuoYi-Vue-Plus log --oneline | grep 88d03d9

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.