CVE-2026-10706
Received Received - Intake

Adalo No-Code App Builder Data Exposure Vulnerability

Vulnerability report for CVE-2026-10706, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: CERT/CC

Description

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
adalo no-code_application_platform to 3.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10706 is a critical vulnerability in Adalo’s no-code application platform (versions 1 and 2) that allows attackers to extract full user records and correlate user behavior across multiple applications by enumerating database IDs (dbId).

The root cause is a lack of proper authorization controls in the database API, which lets authenticated users retrieve complete user dataβ€”including fields not explicitly requestedβ€”belonging to any Adalo application, regardless of ownership or configuration.

This issue is worsened by a permissive CORS policy and the fact that deleted records may still be accessible. Additionally, long-lived JWT tokens (valid for about 20 days) are exposed in client-side requests, enabling attackers to reuse tokens from any origin to query the API without app-specific secrets.

The platform also does not implement data minimization, privacy by design, or appropriate technical safeguards, which allows sensitive information to be exposed to unauthorized parties.

Impact Analysis

This vulnerability can lead to unauthorized access and exposure of sensitive user data such as emails, UUIDs, and custom fields across over one million applications built on Adalo.

Attackers can harvest large amounts of user information, potentially enabling phishing attacks, identity theft, and other malicious activities.

Because the vulnerability allows data extraction across multiple applications regardless of ownership, it poses a significant privacy risk to users and organizations relying on the platform.

Compliance Impact

The vulnerability negatively impacts compliance with common data protection standards and regulations such as GDPR and HIPAA because the platform fails to implement data minimization, privacy by design, and appropriate technical safeguards.

Exposing sensitive user information to unauthorized parties violates principles of data confidentiality and integrity required by these regulations.

Organizations using Adalo’s platform may face legal and regulatory consequences due to this exposure if they do not take mitigating actions.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unusual API requests that attempt to enumerate dbId values or retrieve full user records across multiple applications. Since the vulnerability allows authenticated users to access complete user data via the database API, network traffic inspection should focus on API calls that request user data beyond expected scopes.

Commands or methods to detect exploitation attempts could include capturing and analyzing HTTP requests to the Adalo API endpoints, looking for repeated or automated queries that enumerate user IDs or request large volumes of user data.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic to Adalo API endpoints.
  • Example tcpdump command to capture HTTP traffic to Adalo API: tcpdump -i <interface> -A 'tcp port 443 and host <adalo_api_host>'
  • Inspect logs or use tools like curl or Postman to manually test API endpoints for unauthorized data access by attempting to enumerate dbId values.
  • Monitor for long-lived JWT tokens being used from unexpected origins or in unusual patterns, as these tokens can be reused to query the API.
Mitigation Strategies

Immediate mitigation steps include avoiding the storage of sensitive information in Adalo collections until a patch is released, as the platform currently lacks proper authorization controls and technical safeguards.

Additionally, users should monitor and restrict access to long-lived JWT tokens, as their reuse from any origin enables large-scale data harvesting.

  • Avoid storing sensitive user data in Adalo applications.
  • Revoke or rotate any exposed JWT tokens if possible.
  • Implement additional application-level access controls or data minimization outside of Adalo where feasible.
  • Stay informed about updates from Adalo regarding patches or fixes for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart