Skip to main content

Cors Misconfiguration CVE-2026-6662

| EUVDEUVD-2026-23923 MEDIUM
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-04-20 VulDB GHSA-6j2q-j3c7-4w55
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 20, 2026 - 17:53 vuln.today
Severity Changed
Apr 20, 2026 - 17:52 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 17:52 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 17:15 euvd
EUVD-2026-23923
Analysis Generated
Apr 20, 2026 - 17:15 vuln.today
CVE Published
Apr 20, 2026 - 17:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

AnalysisAI

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint without authentication, enabling cross-domain requests from untrusted origins. The vulnerability exists in the cors function of src/server.ts and permits information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS 6.9 score.

Technical ContextAI

The vulnerability stems from improper CORS (Cross-Origin Resource Sharing) configuration in the Token Endpoint of copilot-api, classified under CWE-942 (Permissive Cross-domain Policy). CORS is a browser security mechanism that controls which external domains can access resources on a web server. When misconfigured with overly permissive policies (such as allowing all origins via wildcard '*' or failing to validate origin headers), attackers can craft malicious web pages that, when visited by legitimate users, silently make authenticated requests to the vulnerable API. The Token Endpoint, being authentication-related, is a high-value target. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with low complexity (AC:L) and no privileges or user interaction required (PR:N/UI:N), though confidentiality/integrity/availability impact is limited (VC:L/VI:L/VA:L). The CPE cpe:2.3:a:ericc-ch:copilot-api:*:*:*:*:*:*:*:* confirms all versions up to 0.7.0 are affected.

RemediationAI

Upgrade ericc-ch copilot-api to a version released after 0.7.0 that implements proper CORS validation; verify the patched version restricts origin headers to explicitly whitelisted domains and eliminates wildcard ('*') origin acceptance on sensitive endpoints like Token Endpoint. If upgrade is not immediately feasible, implement compensating controls: (1) restrict CORS headers at a reverse proxy or API gateway by validating the 'Origin' header against a strict allowlist of trusted domains only, rejecting requests from unknown origins - this may impact legitimate cross-domain integrations, so coordinate with application owners; (2) enforce additional authentication mechanisms (mutual TLS, API keys, or HMAC signatures) on all Token Endpoint requests beyond CORS validation; (3) implement rate limiting and request filtering on the Token Endpoint to mitigate automated exploitation. Note that network-level mitigations (firewall rules restricting access to Token Endpoint to internal networks only) are effective if the endpoint is not required for public-facing integrations. Refer to VulDB submission https://vuldb.com/submit/794601 for vendor guidance. No official vendor advisory URL was provided in available references; contact ericc-ch directly for patch availability confirmation.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

CVE-2023-25603 CRITICAL
9.1 Nov 14

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.

Share

CVE-2026-6662 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy