CVE-2026-58448
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A broken access control vulnerability in the BPM module of yudao-cloud before version 2026.06 allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected GET endpoint lacking the @PreAuthorize annotation. Attackers can read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.
Risk Assessment
The organization is at risk of leaking sensitive process data, including personal and business information, which may lead to data protection regulation violations and loss of customer trust.
Recommendation
Immediately update yudao-cloud to version 2026.06 or later, and add appropriate @PreAuthorize annotations along with ownership and tenant verification mechanisms to all BPM module endpoints.
Original NVD description (English source)
yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

