Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
AnalysisAI
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint without authentication, enabling cross-domain requests from untrusted origins. The vulnerability exists in the cors function of src/server.ts and permits information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS 6.9 score.
Technical ContextAI
The vulnerability stems from improper CORS (Cross-Origin Resource Sharing) configuration in the Token Endpoint of copilot-api, classified under CWE-942 (Permissive Cross-domain Policy). CORS is a browser security mechanism that controls which external domains can access resources on a web server. When misconfigured with overly permissive policies (such as allowing all origins via wildcard '*' or failing to validate origin headers), attackers can craft malicious web pages that, when visited by legitimate users, silently make authenticated requests to the vulnerable API. The Token Endpoint, being authentication-related, is a high-value target. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with low complexity (AC:L) and no privileges or user interaction required (PR:N/UI:N), though confidentiality/integrity/availability impact is limited (VC:L/VI:L/VA:L). The CPE cpe:2.3:a:ericc-ch:copilot-api:*:*:*:*:*:*:*:* confirms all versions up to 0.7.0 are affected.
RemediationAI
Upgrade ericc-ch copilot-api to a version released after 0.7.0 that implements proper CORS validation; verify the patched version restricts origin headers to explicitly whitelisted domains and eliminates wildcard ('*') origin acceptance on sensitive endpoints like Token Endpoint. If upgrade is not immediately feasible, implement compensating controls: (1) restrict CORS headers at a reverse proxy or API gateway by validating the 'Origin' header against a strict allowlist of trusted domains only, rejecting requests from unknown origins - this may impact legitimate cross-domain integrations, so coordinate with application owners; (2) enforce additional authentication mechanisms (mutual TLS, API keys, or HMAC signatures) on all Token Endpoint requests beyond CORS validation; (3) implement rate limiting and request filtering on the Token Endpoint to mitigate automated exploitation. Note that network-level mitigations (firewall rules restricting access to Token Endpoint to internal networks only) are effective if the endpoint is not required for public-facing integrations. Refer to VulDB submission https://vuldb.com/submit/794601 for vendor guidance. No official vendor advisory URL was provided in available references; contact ericc-ch directly for patch availability confirmation.
More in Cors Misconfiguration
View allCasdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th
Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel
SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9
A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional
Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23923
GHSA-6j2q-j3c7-4w55