CVE-2026-57111
Received Received - Intake

Permissive CORS in Apache Helix REST API

Vulnerability report for CVE-2026-57111, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Apache Software Foundation

Description

Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin requests to administrative REST endpoints via a cross-origin request from an arbitrary origin, since the filter unconditionally returns Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true and reflects arbitrary Access-Control-Request-Method / Access-Control-Request-Headers values in preflight responses. Users are recommended to upgrade to version 2.0.1, which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache helix to 2.0.1 (exc)
apache helix 2.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57111 is a vulnerability in Apache Helix REST API versions through 2.0.0 caused by a permissive Cross-Origin Resource Sharing (CORS) configuration in the helix-rest component's CORSFilter class.

This misconfiguration allows a remote attacker who controls a web page visited by an authorized user to read responses from and send cross-origin requests to administrative REST endpoints.

The issue arises because the CORS filter unconditionally returns Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true, and it reflects arbitrary Access-Control-Request-Method and Access-Control-Request-Headers values in preflight responses.

This means that the attacker can bypass same-origin policy restrictions and interact with sensitive administrative endpoints via cross-origin requests.

Users are recommended to upgrade to version 2.0.1 or later to fix this issue.

Impact Analysis

This vulnerability can allow an attacker who controls a malicious web page to perform unauthorized cross-origin requests to administrative REST endpoints of Apache Helix.

Because the CORS configuration is overly permissive, the attacker can read sensitive responses and potentially perform actions with the privileges of an authorized user who visits the malicious page.

This could lead to unauthorized access to administrative functions, data leakage, or manipulation of the system through the REST API.

Detection Guidance

This vulnerability can be detected by inspecting the HTTP response headers of the Apache Helix REST API endpoints to check for permissive CORS settings.

  • Look for the presence of the header 'Access-Control-Allow-Origin' set to '*' together with 'Access-Control-Allow-Credentials' set to 'true'.
  • Check if the server reflects arbitrary 'Access-Control-Request-Method' and 'Access-Control-Request-Headers' values in preflight (OPTIONS) responses.

You can use curl commands to test this behavior, for example:

  • curl -i -X OPTIONS https://your-helix-server/rest-endpoint -H "Origin: http://example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Custom-Header"
  • Then inspect the response headers for 'Access-Control-Allow-Origin: *' and 'Access-Control-Allow-Credentials: true' along with reflected request method and headers.
Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade Apache Helix REST to version 2.0.1 or later, where this issue is fixed.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart