Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable, low-complexity dbId enumeration yielding unauthorized record reads gives C:H with no integrity or availability impact; PR:N retained per source though an app session may be required (AC/PR could rise if so).
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.
AnalysisAI
Sensitive user-record disclosure in Adalo's no-code app builder (App Builder versions 1 and 2) lets remote actors enumerate the internal 'dbId' identifier to retrieve complete user records and correlate individuals' behavior across multiple applications hosted on the platform. The flaw stems from predictable/enumerable record identifiers combined with absent access controls and no data minimization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The concrete prerequisite named in the CVE is the presence of an enumerable/predictable 'dbId' record identifier on the Adalo platform combined with the absence of object-level access controls and data minimization; an attacker exploits it by iterating dbId values to pull records they should not see and to link the same users across applications. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be read together rather than off the raw score alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote actor with access to an Adalo-hosted application observes that user records are addressed by a numeric dbId, then scripts requests that increment the dbId to harvest full user records in bulk, correlating the same individuals across several Adalo apps. No public exploit code is referenced, but the low attack complexity means a simple enumeration script would suffice if the endpoint is reachable without effective authorization checks. |
| Remediation | No vendor-released patch version is identified in the available data; treat remediation as vendor-driven since Adalo is a hosted platform, and monitor CERT/CC VU#849433 (https://kb.cert.org/vuls/id/849433) and the NVD entry for fix announcements. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Adalo App Builder v1 and v2 deployments and identify which applications handle sensitive user data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42277
GHSA-cx9x-h2c8-vhx5