Authorization Bypass in Dromara RuoYi-Vue-Plus by Dromara
CVE-2026-2819

5.3MEDIUM

Key Information:

Vendor

Dromara

Status
Ruoyi-vue-plus
Vendor
CVE Published:
20 February 2026

What is CVE-2026-2819?

A vulnerability exists in Dromara RuoYi-Vue-Plus affecting versions up to 5.5.3, specifically within the Workflow Module's function SaServletFilter. This flaw allows for missing authorization checks during the execution of the endpoint located in /workflow/instance/deleteByInstanceIds. As a result, it can enable unauthorized users to initiate attacks remotely. An exploit leveraging this vulnerability is publicly available, highlighting the immediate need for affected users to implement protective measures. Although the vendor was notified of this issue, there has been no response.

Affected Version(s)

RuoYi-Vue-Plus 5.5.0

RuoYi-Vue-Plus 5.5.1

RuoYi-Vue-Plus 5.5.2

References

https://vuldb.com/?id.346944
vdb-entrytechnical-description
https://vuldb.com/?ctiid.346944
signaturepermissions-required
https://vuldb.com/?submit.753321
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

feng123123 (VulDB User)
.