CVE-2026-30924
CORS Misconfiguration in qui Enables Authenticated Request Forgery
Publication date: 2026-03-19
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getqui | qui | to 1.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30924 is a critical security vulnerability in the qui web interface for managing qBittorrent instances (versions 1.14.1 and below). It arises from a permissive Cross-Origin Resource Sharing (CORS) policy that reflects arbitrary origins while also allowing credentials to be sent. This means any external webpage can make authenticated requests on behalf of a logged-in user without restrictions.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by tricking a victim into loading a malicious webpage that silently interacts with the application using the victim's session. This can lead to exfiltration of sensitive data such as API keys and account credentials or even full system compromise through the application's External Programs manager."}, {'type': 'paragraph', 'content': 'Exploitation requires the victim to access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely scenario.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including unauthorized access and control over your qBittorrent instance and potentially the underlying system.'}, {'type': 'list_item', 'content': 'Attackers can exfiltrate sensitive information such as API keys, account credentials, and passkeys.'}, {'type': 'list_item', 'content': 'User accounts on connected external services can be exposed and compromised.'}, {'type': 'list_item', 'content': 'There can be permanent loss of access to critical accounts.'}, {'type': 'list_item', 'content': 'Full compromise of the host or container system is possible, especially due to the External Programs manager allowing callbacks to attacker-controlled servers.'}, {'type': 'list_item', 'content': "Attackers can execute actions with the application's privileges, which often run with root or privileged user context."}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the HTTP response headers of the qui web interface to check for permissive CORS policies. Specifically, look for the presence of the header Access-Control-Allow-Credentials set to true combined with Access-Control-Allow-Origin reflecting arbitrary origins (e.g., echoing back the Origin header or using a wildcard).'}, {'type': 'paragraph', 'content': 'You can use command-line tools like curl to examine these headers. For example:'}, {'type': 'list_item', 'content': 'curl -I -H "Origin: https://malicious.example.com" https://your-qui-instance/'}, {'type': 'list_item', 'content': 'Check if the response includes Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: https://malicious.example.com (or any arbitrary origin).'}, {'type': 'paragraph', 'content': 'If the server reflects arbitrary origins and allows credentials, it is vulnerable to this CORS misconfiguration.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the CORS policy to an explicit allowlist of trusted origins rather than allowing all origins. This prevents unauthorized cross-origin requests that could exploit the vulnerability.
Specifically, configure the application to set Access-Control-Allow-Origin only to trusted domains and avoid reflecting arbitrary origins. Also, set Access-Control-Allow-Credentials to false or remove it if credentialed requests are not necessary.
Additional immediate actions include:
- Avoid exposing the qui instance to the public internet or untrusted networks.
- Use unique hostnames and do not share them with untrusted parties.
- Sign out of the application after use to reduce session exposure.
- Avoid clicking or automatically loading untrusted webpages that could trigger exploitation.
If possible, update the application to a version that includes the fix which enforces an explicit CORS allowlist (e.g., by setting the QUI__CORS_ALLOWED_ORIGINS environment variable).