CVE-2026-30924
Received Received - Intake
CORS Misconfiguration in qui Enables Authenticated Request Forgery

Publication date: 2026-03-19

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30924
EUVD
EUVD-2026-13202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getqui qui to 1.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30924 is a critical security vulnerability in the qui web interface for managing qBittorrent instances (versions 1.14.1 and below). It arises from a permissive Cross-Origin Resource Sharing (CORS) policy that reflects arbitrary origins while also allowing credentials to be sent. This means any external webpage can make authenticated requests on behalf of a logged-in user without restrictions.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by tricking a victim into loading a malicious webpage that silently interacts with the application using the victim's session. This can lead to exfiltration of sensitive data such as API keys and account credentials or even full system compromise through the application's External Programs manager."}, {'type': 'paragraph', 'content': 'Exploitation requires the victim to access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely scenario.'}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including unauthorized access and control over your qBittorrent instance and potentially the underlying system.'}, {'type': 'list_item', 'content': 'Attackers can exfiltrate sensitive information such as API keys, account credentials, and passkeys.'}, {'type': 'list_item', 'content': 'User accounts on connected external services can be exposed and compromised.'}, {'type': 'list_item', 'content': 'There can be permanent loss of access to critical accounts.'}, {'type': 'list_item', 'content': 'Full compromise of the host or container system is possible, especially due to the External Programs manager allowing callbacks to attacker-controlled servers.'}, {'type': 'list_item', 'content': "Attackers can execute actions with the application's privileges, which often run with root or privileged user context."}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the HTTP response headers of the qui web interface to check for permissive CORS policies. Specifically, look for the presence of the header Access-Control-Allow-Credentials set to true combined with Access-Control-Allow-Origin reflecting arbitrary origins (e.g., echoing back the Origin header or using a wildcard).'}, {'type': 'paragraph', 'content': 'You can use command-line tools like curl to examine these headers. For example:'}, {'type': 'list_item', 'content': 'curl -I -H "Origin: https://malicious.example.com" https://your-qui-instance/'}, {'type': 'list_item', 'content': 'Check if the response includes Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: https://malicious.example.com (or any arbitrary origin).'}, {'type': 'paragraph', 'content': 'If the server reflects arbitrary origins and allows credentials, it is vulnerable to this CORS misconfiguration.'}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting the CORS policy to an explicit allowlist of trusted origins rather than allowing all origins. This prevents unauthorized cross-origin requests that could exploit the vulnerability.

Specifically, configure the application to set Access-Control-Allow-Origin only to trusted domains and avoid reflecting arbitrary origins. Also, set Access-Control-Allow-Credentials to false or remove it if credentialed requests are not necessary.

Additional immediate actions include:

  • Avoid exposing the qui instance to the public internet or untrusted networks.
  • Use unique hostnames and do not share them with untrusted parties.
  • Sign out of the application after use to reduce session exposure.
  • Avoid clicking or automatically loading untrusted webpages that could trigger exploitation.

If possible, update the application to a version that includes the fix which enforces an explicit CORS allowlist (e.g., by setting the QUI__CORS_ALLOWED_ORIGINS environment variable).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart