CVE-2026-10708
Received Received - Intake

Adalo Application Data Exposure via JWT and CORS Misconfiguration

Vulnerability report for CVE-2026-10708, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: CERT/CC

Description

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
adalo application *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows attackers to harvest large amounts of data without needing app-specific secrets.

By sending a single request to a minimal leaderboard component, attackers can retrieve user records that include emails, UUIDs, and custom fields.

The issue arises due to a combination of wildcard CORS behavior, long-lived twenty-day JSON Web Tokens (JWTs), and the lack of token revocation.

These factors together enable attackers to collect sensitive personal information from any Adalo application.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unusual API requests to the Adalo leaderboard component that return user records containing emails, UUIDs, and custom fields without proper authorization.

Since the vulnerability exploits permissive CORS policies and long-lived JWT tokens, inspecting network traffic for cross-origin requests to Adalo APIs and analyzing JWT token usage patterns can help identify exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include using network monitoring tools like Wireshark or tcpdump to capture HTTP requests to Adalo endpoints, and using curl or similar tools to test API responses for unauthorized data exposure.

Compliance Impact

This vulnerability enables large-scale unauthorized access to sensitive personal information such as emails, UUIDs, and custom fields from any Adalo application. Such exposure of personal data without proper authorization controls can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict safeguards to protect personal and sensitive information.

The combination of permissive CORS policies, long-lived JWT tokens, and lack of token revocation increases the risk of data breaches, potentially resulting in violations of privacy and security requirements mandated by these standards.

Until a patch is released, affected users are advised to avoid storing sensitive information in Adalo collections to mitigate risks of non-compliance and data exposure.

Mitigation Strategies

Immediate mitigation steps include avoiding the storage of sensitive information in Adalo collections until a patch is released.

Users should also monitor and restrict the use of long-lived JWT tokens, and consider implementing additional authorization controls or network-level restrictions to limit access to the vulnerable API endpoints.

Since Adalo has not yet released a patch, customers should remain vigilant for suspicious activity and consider alternative platforms or temporary workarounds to protect sensitive user data.

Impact Analysis

This vulnerability can lead to unauthorized access and large-scale harvesting of sensitive personal data such as emails, UUIDs, and custom user fields.

Attackers can exploit this to compromise user privacy and potentially use the stolen data for malicious purposes like identity theft, phishing, or other attacks.

Since the vulnerability does not require app-specific secrets, it can affect any Adalo application, increasing the risk and scope of impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart