Home

Description

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

PUBLISHED Reserved 2026-06-02 | Published 2026-07-08 | Updated 2026-07-09 | Assigner certcc

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

1 (custom)
affected

References

kb.cert.org/vuls/id/849433

cve.org (CVE-2026-10706)

nvd.nist.gov (CVE-2026-10706)

Download JSON