Skip to content
CVSS 7.3 · HIGH

CVE-2026-7679

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Ver en NVD

Análisis

The vulnerability involves an authentication bypass in the yudao-cloud framework's OAuth2 implementation. Although the exploit is public and the impact is high for users of this specific Java framework, it is considered niche software with limited adoption in the local developer community.

Severidad

Puntaje: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Tipo de falla (CWE): CWE-287

EPSS

Probabilidad de explotación (próx. 30 días): 0.0008 (0.1%)
Percentil: 23.7%
EPSS: 2026-05-06

Descripción técnica

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Publicada: 3/5/2026, 5:15:59
Última modificación: 5/5/2026, 19:13:44

Referencias

InicioEventosBlogRecursosEquipo