Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Single unauthenticated network request returns PII with no secrets (AV:N/AC:L/PR:N/UI:N); confidentiality-only exposure, so C:H and I/A:N.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.
AnalysisAI
Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application is built on the affected Adalo App Builder (versions 1 through 2) and exposes the leaderboard component, whose API returns full user records rather than a minimized public view; the description specifies this minimal leaderboard component as the exact reachable surface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact but no integrity or availability effect - consistent with a pure data-exposure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an application built on Adalo and sends a single unauthenticated HTTP request to the leaderboard component's API endpoint, receiving back user records with emails, UUIDs, and custom fields. Because no app-specific secret is required and wildcard CORS permits cross-origin reads, the attacker scripts the request across many Adalo apps to harvest personal data en masse, or embeds it in a malicious web page to steal data from visitors' active sessions. … |
| Remediation | No specific vendor-released fix version is identified in the available data, so track the CERT/CC note (https://kb.cert.org/vuls/id/849433) and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-10708) for a patched App Builder release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all production Adalo applications; identify those using leaderboard components and estimate exposed user record count and data sensitivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42276
GHSA-gv53-r5jh-4pc3