YunaiV yudao-cloud Improper Authentication Vulnerability in OAuth2 Token Service

An authentication bypass vulnerability has been identified in YunaiV yudao-cloud versions prior to 2026.01. The issue resides in the OAuth2TokenServiceImpl class, specifically within the getAccessToken method. This vulnerability allows a refresh token to be used as an access token, thereby bypassing the intended authentication mechanism. The flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access to protected API resources. This could lead to exposure of confidential user data and system information, and depending on the privileges associated with the refresh token, could also allow for privilege escalation.

Reproduction

To reproduce this vulnerability, first obtain a valid refresh token by logging into the application. This can be done by sending a POST request to the login endpoint with the appropriate credentials. Once the refresh token is received, it can be used in place of an access token by including it in the Authorization header as 'Bearer <refresh_token>' when making API requests. If the vulnerability exists, the request will be accepted, and access to the requested resources will be granted.

Remediation

To address this vulnerability, the getAccessToken method should be modified to only accept access tokens and not refresh tokens. Additionally, implementing strict token type validation, origin tracking, rate limiting for token validation requests, anomaly detection for unusual token usage patterns, and logging token validation attempts can enhance security.