CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58448

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-06-30
yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation. Attackers can query any process-instance identifier through the unguarded GET endpoint to read sensitive workflow data including submitted form variables, approver identities, approval and rejection comments, and process BPMN XML without ownership or tenant party verification.

⚡ Watch CVE-2026-58448

Get an email if CVE-2026-58448 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58448

CVE.org record

Embed the live status

CVE-2026-58448 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58448 status](https://www.csirts.com/badge/CVE-2026-58448)](https://www.csirts.com/cve/CVE-2026-58448)