CVE-2026-27579
CORS Misconfiguration in CollabPlatform Enables Credentialed Data Theft
Publication date: 2026-02-21
Last updated on: 2026-02-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| appwrite | appwrite | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27579 is a high-severity security vulnerability in the CollabPlatform's Appwrite backend service caused by a misconfiguration of Cross-Origin Resource Sharing (CORS) policies."}, {'type': 'paragraph', 'content': 'Specifically, the Appwrite project improperly allows arbitrary origins in CORS responses while also permitting credentialed requests to the /v1/account endpoint. This means that an attacker-controlled domain can send authenticated cross-origin requests and read sensitive user information.'}, {'type': 'list_item', 'content': 'The vulnerable endpoint reflects arbitrary Origin headers in the Access-Control-Allow-Origin response header.'}, {'type': 'list_item', 'content': 'It also sets Access-Control-Allow-Credentials to true, allowing cookies and credentials to be sent.'}, {'type': 'paragraph', 'content': "Because of this misconfiguration, if a logged-in user visits a malicious webpage, the attacker can fetch and exfiltrate the user's sensitive account data, including email address, account identifiers, and multi-factor authentication (MFA) status."}, {'type': 'paragraph', 'content': 'This vulnerability bypasses the browserβs Same-Origin Policy, enabling cross-site authenticated data theft without requiring special privileges or authentication bypass.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts on users and organizations using CollabPlatform.
- Attackers can steal sensitive user account information such as email addresses, account identifiers, and MFA status.
- The attack requires only that the victim be logged in and visit a malicious webpage, making it relatively easy to exploit.
- Compromised account information can lead to further attacks, including identity theft or account takeover.
- There is potential for chaining this vulnerability with other issues like Insecure Direct Object References (IDOR) or privilege escalation vulnerabilities.
Overall, the vulnerability exposes users to unauthorized data disclosure and increases the risk of broader security breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the CORS headers returned by the Appwrite backend service, specifically the /v1/account endpoint.'}, {'type': 'paragraph', 'content': 'Look for the presence of the header Access-Control-Allow-Origin reflecting arbitrary or attacker-controlled origins, combined with Access-Control-Allow-Credentials set to true.'}, {'type': 'paragraph', 'content': 'A simple way to test this is to send a cross-origin request with a custom Origin header and observe the response headers.'}, {'type': 'list_item', 'content': 'Use curl to send a request with a custom Origin header, for example: curl -H "Origin: https://evil.com" -I https://your-collabplatform-domain/v1/account'}, {'type': 'list_item', 'content': 'Check if the response includes Access-Control-Allow-Origin: https://evil.com and Access-Control-Allow-Credentials: true.'}, {'type': 'paragraph', 'content': 'If these headers are present as described, the system is vulnerable to this CORS misconfiguration.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps involve correcting the CORS configuration in the Appwrite project settings.
- Restrict allowed web origins in the Appwrite Console under Project Settings β Platforms.
- Remove any wildcard (*) or overly broad origin entries that allow arbitrary origins.
- Only allow trusted origins, such as https://realtime-collaboration-platform-steel.vercel.app.
- Avoid reflecting dynamic origins in the Access-Control-Allow-Origin header.
- Do not allow credentials to be sent with wildcard or arbitrary origins by ensuring Access-Control-Allow-Credentials is only true for trusted origins.