CVE-2026-7581
Received Received - Intake
CORS Misconfiguration in MeTube Application

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: VulDB

Description
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.04.10 is able to mitigate this issue. The identifier of the patch is 0072d3488ae5b8d922d3ee87458d829993742a32. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7581
EUVD
EUVD-2026-26501
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alexta69 metube to 2026.04.09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in MeTube involves a permissive CORS policy that allows cross-origin attacks, enabling unauthorized actions such as arbitrary downloads, cookie overwrites, data deletion, and potentially remote code execution. Such unauthorized access and manipulation of data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the lack of proper origin validation and authentication on API endpoints could result in unauthorized data exposure or modification, undermining confidentiality and integrity requirements mandated by these standards.

Mitigation through upgrading to version 2026.04.10, which introduces an explicit allowlist for trusted origins and denies cross-origin requests by default, helps restore compliance by enforcing stricter access controls.

Executive Summary

CVE-2026-7581 is a security vulnerability in the MeTube application affecting versions up to 2026.04.09. It arises from a permissive Cross-Origin Resource Sharing (CORS) policy where the server unconditionally reflects the Origin request header into the Access-Control-Allow-Origin response header without validation. Additionally, the Socket.IO server was configured to allow all origins ('*'). This misconfiguration allows any website to make authenticated cross-origin requests to all API endpoints without proper authentication.

Because of this, an attacker can exploit the vulnerability remotely by tricking a victim into visiting a malicious webpage, which then performs unauthorized actions on the victim's MeTube instance. These actions include forcing the server to download arbitrary content, overwriting cookies, deleting downloads, creating subscriptions, enumerating download history, and potentially achieving remote code execution under certain conditions.

The vulnerability is fixed by replacing the blanket origin reflection with an explicit allowlist controlled by the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default.

Impact Analysis

This vulnerability can have several impacts on users of the MeTube application:

  • An attacker can force the server to download arbitrary content, potentially consuming disk space and bandwidth.
  • Cookies can be overwritten, which may lead to session hijacking or unauthorized access.
  • Downloads can be deleted without authorization, causing data loss.
  • Subscriptions can be created or manipulated, affecting user preferences or data.
  • An attacker may enumerate download history, exposing potentially sensitive user data.
  • Under certain configurations, remote code execution is possible, which could lead to full server compromise.
Detection Guidance

This vulnerability involves a permissive CORS policy in the MeTube application that reflects the Origin header unconditionally and allows all origins in Socket.IO, enabling cross-origin attacks without proper authentication.

To detect this vulnerability on your system, you can check the HTTP response headers of the MeTube server for the Access-Control-Allow-Origin header to see if it reflects the Origin header value or is set to '*'.

Suggested commands to detect the issue include using curl to send requests with a custom Origin header and inspecting the response headers:

  • curl -H "Origin: http://malicious.example.com" -I http://your-metube-server/
  • Check if the Access-Control-Allow-Origin header in the response matches the Origin header or is set to '*', indicating a permissive CORS policy.

Additionally, you can test Socket.IO connections to see if they accept all origins by attempting to connect from an untrusted origin.

Mitigation Strategies

The primary mitigation step is to upgrade the MeTube application to version 2026.04.10 or later, which includes a fix for the permissive CORS policy.

The fix replaces the unconditional reflection of the Origin header with an explicit allowlist controlled by the environment variable CORS_ALLOWED_ORIGINS.

If you require cross-origin access, configure the CORS_ALLOWED_ORIGINS environment variable with a comma-separated list of trusted origins. If unset, cross-origin requests will be denied by default.

Also, update the Socket.IO configuration to restrict allowed origins to the same allowlist.

As an additional security measure, consider adding API key authentication for exposed environments to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7581. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart