CVE-2026-54753
Deferred Deferred - Pending Action
Cross-Origin Information Disclosure in Nx Monorepo

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin β€” including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54753
EUVD
EUVD-2026-39831
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nrwl nx From 17.0.4 (inc) to 22.7.2 (exc)
nrwl nx From 23.0.0-beta.0 (inc) to 23.0.0-beta.2 (exc)
nrwl nx 22.7.2
nrwl nx 23.0.0-beta.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows cross-origin information disclosure of sensitive project details, which could potentially lead to unauthorized access to confidential data.

Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized disclosure.

However, the vulnerability specifically affects local development environments and requires the developer to run the vulnerable server and visit a malicious website, which may limit the scope of compliance impact.

Executive Summary

CVE-2026-54753 is a vulnerability in the Nx monorepo tool's local HTTP server used by the `nx graph` command. The server incorrectly included a wildcard CORS header (`Access-Control-Allow-Origin: *`) on every response, allowing any website a developer visits to read the server's responses cross-origin.

This exposure includes sensitive information such as the full project graph (project names, file paths, dependencies, and build configurations) and the output of the `/help` endpoint, which runs a target's configured help command.

While the main impact is cross-origin information disclosure, in rare cases, it can lead to arbitrary command injection if a malicious target with a harmful help command exists in the workspace.

The vulnerability affects versions from 17.0.4 up to but not including 22.7.2 and certain beta versions, and it was fixed by removing the wildcard CORS header.

Impact Analysis

This vulnerability can impact you by allowing any website you visit while running the `nx graph` server to read sensitive internal project information due to the permissive CORS policy.

The exposed information includes the entire project graph, such as project names, file paths, dependencies, and build configurations, which could aid attackers in understanding your development environment.

Additionally, the `/help` endpoint output can be accessed, which runs configured help commands. In rare cases, if a malicious help command is present, this could lead to arbitrary command injection, posing a higher security risk.

Exploitation requires that you run the vulnerable `nx graph` server and visit an attacker-controlled webpage, making it a risk primarily during active development.

Detection Guidance

This vulnerability can be detected by checking if the local nx graph HTTP server running on http://127.0.0.1:4211 is sending the Access-Control-Allow-Origin: * header in its responses. This indicates a permissive CORS policy that allows any website to read the server's responses cross-origin.

You can use network inspection tools or command-line utilities to verify the presence of this header.

  • Use curl to inspect the headers of the local nx graph server: curl -I http://127.0.0.1:4211
  • Look for the Access-Control-Allow-Origin header in the response headers. If it is set to '*', the vulnerability is present.
  • Alternatively, use browser developer tools (Network tab) to inspect responses from the nx graph server and check for the Access-Control-Allow-Origin header.
Mitigation Strategies

The immediate mitigation step is to upgrade the nx package to a fixed version where the vulnerability is patched.

  • Upgrade nx to version 22.7.2 or later, or to 23.0.0-beta.2 or later.

This update removes the wildcard Access-Control-Allow-Origin header from the nx graph server, relying on the browser's same-origin policy to prevent cross-origin information disclosure.

Until the upgrade is applied, avoid running the nx graph server while visiting untrusted or attacker-controlled websites, as exploitation requires running the server and visiting a malicious webpage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart