CVE-2026-0397
CORS Misconfiguration in Open-Xchange Webserver Enables Data Exposure
Publication date: 2026-03-31
Last updated on: 2026-04-14
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.12 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when the internal webserver is enabled (which is disabled by default). An attacker can trick an administrator who is logged into the dashboard into visiting a malicious website. Due to a misconfiguration in the Cross-Origin Resource Sharing (CORS) policy, the attacker can then extract information about the running configuration from the dashboard.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of configuration information from the dashboard if an administrator is tricked into visiting a malicious website. This could potentially expose sensitive configuration details to attackers, although the impact is limited to information disclosure with a low severity score.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the internal webserver is disabled if not needed, as it is disabled by default.
Additionally, review and correct the Cross-Origin Resource Sharing (CORS) policy configuration to prevent unauthorized information extraction from the dashboard.