CVE-2025-46174 - Vulnerability Details

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9
https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef
https://gitee.com/y_project/RuoYi/issues/IC1JZR

History

Wed, 26 Nov 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
References		https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9 https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef https://gitee.com/y_project/RuoYi/issues/IC1JZR

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-11-26T00:00:00.000Z

Updated: 2025-11-26T15:58:45.557Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46174

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-11-26T16:15:47.813

Modified: 2025-11-26T16:15:47.813

Link: CVE-2025-46174

Redhat

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object