Skip to main content

Cors Misconfiguration CVE-2026-5321

| EUVDEUVD-2026-18122 LOW
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-04-02 VulDB GHSA-fp27-q2f5-phx3
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 03, 2026 - 16:10 vuln.today
Public exploit code
EUVD ID Assigned
Apr 02, 2026 - 05:15 euvd
EUVD-2026-18122
Analysis Generated
Apr 02, 2026 - 05:15 vuln.today
CVE Published
Apr 02, 2026 - 04:45 nvd
MEDIUM 5.3

DescriptionCVE.org

A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.

Technical ContextAI

The vulnerability stems from improper CORS (Cross-Origin Resource Sharing) policy configuration in vanna-ai's FastAPI or Flask web server component (CWE-942: Permissive Cross-domain Policy with Untrusted Domains). CORS misconfiguration allows a web application to accept requests from unauthorized or insufficiently validated origins, enabling cross-site request forgery (CSRF) and data exfiltration attacks. The affected product is vanna-ai vanna (CPE: cpe:2.3:a:vanna-ai:vanna:*:*:*:*:*:*:*:*), a Python-based framework. The flaw permits manipulation of the server's domain validation logic, allowing an attacker to bypass origin restrictions and access sensitive data across domain boundaries when authenticated to the application.

RemediationAI

Upgrade vanna-ai vanna to a version after 2.0.2 once the vendor releases a patched build addressing the CORS misconfiguration. At time of analysis, no vendor-released patch version has been independently confirmed, likely due to the vendor's non-responsiveness to early disclosure. As an interim workaround, operators should: (1) implement network-level origin filtering or a Web Application Firewall (WAF) rule restricting CORS requests to trusted domains only, (2) enforce strict CORS policies in the application configuration if user-configurable settings exist, and (3) monitor for suspicious cross-origin requests in access logs. Consult the VulDB advisory at https://vuldb.com/vuln/354653 for updates when patches become available. For detailed remediation guidance, check the vendor's security advisory channels, though vendor responsiveness has been limited.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Share

CVE-2026-5321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy