Executive Summary

The vulnerability in CVE-2026-5321 affects Vanna AI versions up to 2.0.2 and is caused by a misconfiguration of Cross-Origin Resource Sharing (CORS) in its FastAPI and Flask server components.

Specifically, the server reflects any Origin request header value into the Access-Control-Allow-Origin response header while also setting Access-Control-Allow-Credentials to true. This violates the CORS specification, which forbids using a wildcard "*" for allowed origins when credentials are allowed.

Because of this, an attacker-controlled website can perform authenticated cross-origin requests to the Vanna API on behalf of a victim user, potentially accessing sensitive data without authorization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to perform API actions as authenticated users by exploiting the permissive CORS policy.

An attacker can host malicious JavaScript on a website that, when visited by a victim, sends credentialed requests to the Vanna server, potentially retrieving and exfiltrating sensitive data such as customer information.

The attack can be launched remotely and requires only that the victim visits a malicious webpage, making it a significant risk for unauthorized data access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending CORS preflight OPTIONS requests with attacker-controlled Origin headers to the Vanna AI server and observing the Access-Control-Allow-Origin response header.

If the server reflects the Origin header value in Access-Control-Allow-Origin while also setting Access-Control-Allow-Credentials to true, it indicates the presence of the vulnerability.

A practical detection method is to use curl commands to send OPTIONS requests with custom Origin headers and inspect the response headers.

• curl -i -X OPTIONS https://your-vanna-server/api/endpoint -H "Origin: http://malicious.example.com" -H "Access-Control-Request-Method: POST"
• Check if the response includes Access-Control-Allow-Origin: http://malicious.example.com and Access-Control-Allow-Credentials: true

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately replace the permissive CORS configuration with a restrictive one.

Specifically, do not use allow_origins set to ["*"] together with allow_credentials set to true.

Instead, configure an explicit whitelist of allowed origins and disable credentials by default.

• Set allow_origins to an empty list or to a specific list of trusted domains.
• Set allow_credentials to false unless absolutely necessary.

These changes should be applied in the FastAPI and Flask server configurations, specifically in the create_app() method or equivalent CORS middleware setup.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Vanna AI involves a permissive cross-origin resource sharing (CORS) configuration that allows attacker-controlled websites to perform authenticated cross-origin requests, potentially leading to unauthorized access and exfiltration of sensitive data such as customer information.

Such unauthorized data access and exfiltration can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure.

By enabling attackers to perform actions as authenticated users and access sensitive information without proper authorization, this vulnerability increases the risk of data breaches and non-compliance with these standards.

Useful 0 Not Useful 0