Broken Access Control in Yudao Cloud BPM Module
CVE-2026-58448

7.1HIGH

Key Information:

Vendor: Yunaiv
Status: Yudao-cloud
Vendor: CVE Published:; 30 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-58448?

The Yudao Cloud BPM module prior to version 2026.06 is susceptible to a broken access control vulnerability. This flaw enables any authenticated user to manipulate a caller-controlled process-instance identifier to access unprotected endpoints. Consequently, attackers can exploit this vulnerability to retrieve sensitive data including submitted form variables, approver identities, and other workflow-related information without any verification of ownership or associated tenant security protocols. This presents a significant risk of exposing confidential workflow data through an improperly secured GET endpoint.

Affected Version(s)

yudao-cloud 0 < 2026.06

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-58448 - Proof of Concept

References

https://github.com/YunaiV/yudao-cloud/releases#release-v2...

release-notespatch

https://github.com/YunaiV/yudao-cloud/issues/315

technical-descriptionexploit

https://www.vulncheck.com/advisories/yudao-cloud-bpm-modu...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 30, 2026
👾
Exploit known to exist
Jun 30, 2026
Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 30, 2026

Credit

George Chen

CVE-2026-58448 Data

JSON

Yunaiv

Badges

What is CVE-2026-58448?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit