CVE-2026-57949
MediumCVSS 6.5Summary
A missing authorization vulnerability in the CRM module of ruoyi-vue-pro (up to version 2026.05, fixed in commit c779a47) exists in the GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can read any follow-up record by iterating sequential numeric IDs.
Risk Assessment
Attackers can access sensitive follow-up notes, file attachments, scheduling information, and business entity references of other users, leading to data confidentiality breaches and potential privilege escalation.
Recommendation
Apply the patch from commit c779a47 immediately or upgrade to a version newer than 2026.05. Additionally, implement access control based on record ownership.
Original NVD description (English source)
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.

