Executive Summary

CVE-2026-6662 is a vulnerability in the ericc-ch copilot-api up to version 0.7.0, specifically in the Token Endpoint's CORS configuration and authentication setup.

The issue arises because the server uses a permissive wildcard CORS policy (Access-Control-Allow-Origin: *) that allows any website to make cross-origin requests and read responses.

Additionally, the /token endpoint returns the GitHub Copilot bearer token in JSON format without any authentication, making it accessible to any origin.

An attacker can exploit this by tricking a victim into visiting a malicious webpage, which then scans the victim's localhost for the copilot-api service, fetches the token from the /token endpoint, and exfiltrates it to the attacker.

This allows the attacker to steal the victim's Copilot token and abuse the API remotely without any user interaction beyond visiting the malicious page.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows remote attackers to steal the victim’s GitHub Copilot bearer token and abuse the API without user interaction beyond visiting a malicious webpage.

The exposure of sensitive tokens and usage data through a permissive CORS policy and unauthenticated endpoints could lead to unauthorized access to personal or sensitive information.

Such unauthorized data exposure and potential misuse may violate data protection requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.

Therefore, this vulnerability could negatively impact compliance by enabling data breaches and unauthorized data processing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts:

• Confidentiality: The attacker can fully steal your GitHub Copilot bearer token.
• Integrity: The attacker can generate AI content as if they were you, potentially producing harmful or policy-violating outputs.
• Financial: The attacker can consume your premium quota for GitHub Copilot requests, which could cost you between $10 and $39 per month.
• Privacy: The attacker can access your usage data and account metadata via other exposed endpoints.
• Scope: The stolen token can be used remotely against the GitHub Copilot API, not just locally.
• Attack Surface: The attack requires zero clicks beyond visiting a malicious webpage and can be launched from any website, including legitimate sites with injected ads or XSS.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the copilot-api server is running locally and if it exposes the /token endpoint without authentication, combined with a permissive CORS policy allowing any origin.

• Use a port scan on localhost port 4141 to detect if copilot-api is running.
• Send a cross-origin HTTP GET request to http://localhost:4141/token with an Origin header set to an untrusted domain and check if the response includes the header Access-Control-Allow-Origin: * and returns the bearer token in JSON.
• Example curl command to test the /token endpoint and CORS policy: curl -H "Origin: http://malicious.example.com" -v http://localhost:4141/token

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include securing the /token endpoint and restricting the CORS policy.

• Remove or secure the /token endpoint by requiring authentication, such as an API key check.
• Restrict the CORS policy to trusted origins instead of using a wildcard (*) allowing all origins.
• Add authentication middleware to all routes to prevent unauthenticated access.

Useful 0 Not Useful 0