Home

Description

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

PUBLISHED Reserved 2026-06-02 | Published 2026-07-08 | Updated 2026-07-09 | Assigner certcc

Problem types

CWE-522 Insufficiently Protected Credentials

CWE-346 Origin Validation Error

CWE-613 Insufficient Session Expiration

Product status

1 (custom)
affected

References

kb.cert.org/vuls/id/849433

cve.org (CVE-2026-10708)

nvd.nist.gov (CVE-2026-10708)

Download JSON