Skip to main content

Adalo CVE-2026-10706

| EUVDEUVD-2026-42277 HIGH
2026-07-08 cret@cert.org GHSA-cx9x-h2c8-vhx5
7.5
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity dbId enumeration yielding unauthorized record reads gives C:H with no integrity or availability impact; PR:N retained per source though an app session may be required (AC/PR could rise if so).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 16:39 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jul 08, 2026 - 15:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

AnalysisAI

Sensitive user-record disclosure in Adalo's no-code app builder (App Builder versions 1 and 2) lets remote actors enumerate the internal 'dbId' identifier to retrieve complete user records and correlate individuals' behavior across multiple applications hosted on the platform. The flaw stems from predictable/enumerable record identifiers combined with absent access controls and no data minimization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Adalo-hosted app API
Delivery
Observe predictable dbId in responses
Exploit
Enumerate/increment dbId values
Execution
Retrieve unauthorized full user records
Impact
Correlate users across multiple apps

Vulnerability AssessmentAI

Exploitation The concrete prerequisite named in the CVE is the presence of an enumerable/predictable 'dbId' record identifier on the Adalo platform combined with the absence of object-level access controls and data minimization; an attacker exploits it by iterating dbId values to pull records they should not see and to link the same users across applications. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be read together rather than off the raw score alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote actor with access to an Adalo-hosted application observes that user records are addressed by a numeric dbId, then scripts requests that increment the dbId to harvest full user records in bulk, correlating the same individuals across several Adalo apps. No public exploit code is referenced, but the low attack complexity means a simple enumeration script would suffice if the endpoint is reachable without effective authorization checks.
Remediation No vendor-released patch version is identified in the available data; treat remediation as vendor-driven since Adalo is a hosted platform, and monitor CERT/CC VU#849433 (https://kb.cert.org/vuls/id/849433) and the NVD entry for fix announcements. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Adalo App Builder v1 and v2 deployments and identify which applications handle sensitive user data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy