Improper Authorization Vulnerability in YunaiV Ruoyi-Vue-Pro
CVE-2025-10276

5.3MEDIUM

Key Information:

Vendor: Yunaiv
Status: Ruoyi-vue-pro
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-10276?

A security vulnerability has been identified in the YunaiV ruoyi-vue-pro platform prior to version 2025.09, affecting the functionality of the /crm/contract/transfer endpoint. This issue arises from improper handling of arguments tied to user IDs, specifically the id and newOwnerUserId parameters, allowing attackers to bypass authorization checks. Such exploitation could enable unauthorized access to sensitive data and functions within the application. Despite early notification efforts to the vendor regarding this significant flaw, no response was received. Organizations using affected versions are advised to assess their exposure and take appropriate measures to mitigate potential risks.

Affected Version(s)

ruoyi-vue-pro 2025.09

References

https://vuldb.com/?id.323646

vdb-entrytechnical-description

https://vuldb.com/?ctiid.323646

signaturepermissions-required

https://vuldb.com/?submit.643386

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Sep 11, 2025

Credit

aibot888 (VulDB User)