CVE-2025-66736

HIGH

youlai-boot V2.21.1 - Auth Bypass

Title source: llm

Description

youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability.

Exploits (1)

References (3)

Scores

CVSS v3 7.1
EPSS 0.0004
EPSS Percentile 13.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Details

CWE
CWE-284 CWE-862
Status published
Products (1)
youlai/youlai-boot 2.21.1
Published Dec 22, 2025
Tracked Since Feb 18, 2026