Broken Access Control in Ruoyi Vue Pro Affecting Sale Order Management
CVE-2026-57950

8.6HIGH

Key Information:

Vendor

Yunai

Status
Ruoyi-vue-pro
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57950?

The Ruoyi Vue Pro framework suffers from a broken access control vulnerability in the ErpSaleOrderController. This flaw allows users with shipment-level permissions to interact with sensitive sale order operations, including the ability to create, update, delete, and read orders. The erroneous enforcement of the erp:sale-out permissions over the intended erp:sale-order namespace creates a pathway for unauthorized access, potentially leading to severe financial implications. The issue has been addressed in commit 5d1fd70 with a patch aimed at reinforcing correct permission checks.

Affected Version(s)

ruoyi-vue-pro 0 <= 2026.05

ruoyi-vue-pro 5d1fd70dc3e61bf64e7ce3328a71cc60001175c6

References

https://github.com/YunaiV/ruoyi-vue-pro/issues/1161
issue-tracking
https://github.com/YunaiV/ruoyi-vue-pro/commit/5d1fd70dc3...
patch
https://www.vulncheck.com/advisories/ruoyi-vue-pro-incorr...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.