CVE-2026-7581
CORS Misconfiguration in MeTube Application
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alexta69 | metube | to 2026.04.09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MeTube involves a permissive CORS policy that allows cross-origin attacks, enabling unauthorized actions such as arbitrary downloads, cookie overwrites, data deletion, and potentially remote code execution. Such unauthorized access and manipulation of data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Specifically, the lack of proper origin validation and authentication on API endpoints could result in unauthorized data exposure or modification, undermining confidentiality and integrity requirements mandated by these standards.
Mitigation through upgrading to version 2026.04.10, which introduces an explicit allowlist for trusted origins and denies cross-origin requests by default, helps restore compliance by enforcing stricter access controls.
Can you explain this vulnerability to me?
CVE-2026-7581 is a security vulnerability in the MeTube application affecting versions up to 2026.04.09. It arises from a permissive Cross-Origin Resource Sharing (CORS) policy where the server unconditionally reflects the Origin request header into the Access-Control-Allow-Origin response header without validation. Additionally, the Socket.IO server was configured to allow all origins ('*'). This misconfiguration allows any website to make authenticated cross-origin requests to all API endpoints without proper authentication.
Because of this, an attacker can exploit the vulnerability remotely by tricking a victim into visiting a malicious webpage, which then performs unauthorized actions on the victim's MeTube instance. These actions include forcing the server to download arbitrary content, overwriting cookies, deleting downloads, creating subscriptions, enumerating download history, and potentially achieving remote code execution under certain conditions.
The vulnerability is fixed by replacing the blanket origin reflection with an explicit allowlist controlled by the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default.
How can this vulnerability impact me? :
This vulnerability can have several impacts on users of the MeTube application:
- An attacker can force the server to download arbitrary content, potentially consuming disk space and bandwidth.
- Cookies can be overwritten, which may lead to session hijacking or unauthorized access.
- Downloads can be deleted without authorization, causing data loss.
- Subscriptions can be created or manipulated, affecting user preferences or data.
- An attacker may enumerate download history, exposing potentially sensitive user data.
- Under certain configurations, remote code execution is possible, which could lead to full server compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a permissive CORS policy in the MeTube application that reflects the Origin header unconditionally and allows all origins in Socket.IO, enabling cross-origin attacks without proper authentication.
To detect this vulnerability on your system, you can check the HTTP response headers of the MeTube server for the Access-Control-Allow-Origin header to see if it reflects the Origin header value or is set to '*'.
Suggested commands to detect the issue include using curl to send requests with a custom Origin header and inspecting the response headers:
- curl -H "Origin: http://malicious.example.com" -I http://your-metube-server/
- Check if the Access-Control-Allow-Origin header in the response matches the Origin header or is set to '*', indicating a permissive CORS policy.
Additionally, you can test Socket.IO connections to see if they accept all origins by attempting to connect from an untrusted origin.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the MeTube application to version 2026.04.10 or later, which includes a fix for the permissive CORS policy.
The fix replaces the unconditional reflection of the Origin header with an explicit allowlist controlled by the environment variable CORS_ALLOWED_ORIGINS.
If you require cross-origin access, configure the CORS_ALLOWED_ORIGINS environment variable with a comma-separated list of trusted origins. If unset, cross-origin requests will be denied by default.
Also, update the Socket.IO configuration to restrict allowed origins to the same allowlist.
As an additional security measure, consider adding API key authentication for exposed environments to prevent unauthorized access.