CVE-2026-57950
HighCVSS 8.1Summary
A broken access control vulnerability in ruoyi-vue-pro through version 2026.05 (fixed in commit 5d1fd70) in ErpSaleOrderController allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting incorrect permission namespace enforcement. Attackers can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders.
Risk Assessment
The organization is at risk of unauthorized modifications and leakage of financial data related to sales orders, potentially leading to financial losses and business process integrity breaches.
Recommendation
Immediately apply commit 5d1fd70 or upgrade to a version newer than 2026.05, and verify the permission configuration for the ErpSaleOrderController.
Original NVD description (English source)
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.

