Ruoyi Incorrect Access Control Vulnerability in User Password Reset Function

Vulnerability

An access control vulnerability has been identified in Ruoyi version 4.8.0. The issue arises from a missing permission check in the password reset method of the SysUserController. This oversight allows unauthorized users to potentially access and read information about other users, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability could result in unauthorized access to user information, allowing an attacker to read sensitive data about other users without proper permission.

Added: Nov 26, 2025, 4:22 PM

Updated: Nov 26, 2025, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

1.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

1.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ruoyi Incorrect Access Control Vulnerability in User Password Reset Function

Vulnerability

Impact

Affected Products

RuoYi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating