Missing Authorization Vulnerability in Ruoyi-Vue-Pro CRM Module
CVE-2026-57949

7.1HIGH

Key Information:

Vendor

Yunai

Status
Ruoyi-vue-pro
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57949?

The Ruoyi-Vue-Pro CRM module has a missing authorization vulnerability in the GET /admin-api/crm/follow-up-record/get endpoint. This issue allows authenticated users to exploit the system by sequentially sending requests with numeric IDs. By manipulating these parameters, attackers can gain unauthorized access to sensitive information such as follow-up notes, file attachments, and business entity references belonging to other users without any proper authorization checks. This vulnerability poses significant risks to user privacy and data integrity, highlighting the importance of robust access controls within the application.

Affected Version(s)

ruoyi-vue-pro 0 <= 2026.05

ruoyi-vue-pro c779a476617c58a38904191094d22df254b42542

References

https://github.com/YunaiV/ruoyi-vue-pro/issues/1159
technical-description
https://github.com/YunaiV/ruoyi-vue-pro/commit/c779a47661...
patch
https://www.vulncheck.com/advisories/ruoyi-vue-pro-missin...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.