Skip to main content

Adalo CVE-2026-10708

| EUVDEUVD-2026-42276 HIGH
2026-07-08 cret@cert.org GHSA-gv53-r5jh-4pc3
7.5
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Single unauthenticated network request returns PII with no secrets (AV:N/AC:L/PR:N/UI:N); confidentiality-only exposure, so C:H and I/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 16:40 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jul 08, 2026 - 15:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

AnalysisAI

Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target Adalo application
Delivery
Send request to leaderboard endpoint
Exploit
Retrieve full user records
Execution
Harvest emails, UUIDs, custom fields
Impact
Aggregate PII across apps

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application is built on the affected Adalo App Builder (versions 1 through 2) and exposes the leaderboard component, whose API returns full user records rather than a minimized public view; the description specifies this minimal leaderboard component as the exact reachable surface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact but no integrity or availability effect - consistent with a pure data-exposure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an application built on Adalo and sends a single unauthenticated HTTP request to the leaderboard component's API endpoint, receiving back user records with emails, UUIDs, and custom fields. Because no app-specific secret is required and wildcard CORS permits cross-origin reads, the attacker scripts the request across many Adalo apps to harvest personal data en masse, or embeds it in a malicious web page to steal data from visitors' active sessions. …
Remediation No specific vendor-released fix version is identified in the available data, so track the CERT/CC note (https://kb.cert.org/vuls/id/849433) and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-10708) for a patched App Builder release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production Adalo applications; identify those using leaderboard components and estimate exposed user record count and data sensitivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy