Home

Description

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-21 | Updated 2026-02-21 | Assigner GitHub_M




HIGH: 7.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Problem types

CWE-346: Origin Validation Error

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

Product status

<= master
affected

References

github.com/...atform/security/advisories/GHSA-qh5m-p8jh-hx88

cve.org (CVE-2026-27579)

nvd.nist.gov (CVE-2026-27579)

Download JSON