CVE Catalog

CVE-2026-57949

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Summary

A missing authorization vulnerability in the CRM module of ruoyi-vue-pro (up to version 2026.05, fixed in commit c779a47) exists in the GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can read any follow-up record by iterating sequential numeric IDs.

Risk Assessment

Attackers can access sensitive follow-up notes, file attachments, scheduling information, and business entity references of other users, leading to data confidentiality breaches and potential privilege escalation.

Recommendation

Apply the patch from commit c779a47 immediately or upgrade to a version newer than 2026.05. Additionally, implement access control based on record ownership.

Original NVD description (English source)

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS