COR CVE-2026-27579
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.
AnalysisAI
CollabPlatform's misconfigured CORS policy allows credentialed cross-origin requests from attacker-controlled domains, enabling unauthorized access to sensitive user account data including email addresses, account identifiers, and MFA status. All versions of the application are affected by this vulnerability, which remains unpatched and exploitable through simple web-based attacks requiring user interaction.
Technical ContextAI
Classified as CWE-346 (Origin Validation Error). CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.
Affected ProductsAI
CollabPlatform is a full-stack, real-time doc collaboration platform
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today