CVE-2026-7679
Published: 03 May 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-7679 is an improper authentication vulnerability (CWE-287) affecting YunaiV yudao-cloud versions up to 2026.01. The flaw resides in the getAccessToken function within the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. It allows manipulation that bypasses authentication mechanisms, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access to OAuth2 tokens or related resources through improper authentication handling.
Advisories from VulDB and a GitHub issue on 9str0IL/CVE detail the vulnerability but note no vendor response despite early disclosure contact. An exploit is publicly available, increasing the risk of attacks, with no patches or official mitigations referenced. Security practitioners should monitor deployments, restrict network access to affected components, and consider manual code reviews or upgrades if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated remote auth bypass in a public-facing OAuth2 token service, directly enabling exploitation of public-facing applications for initial access and token acquisition.