CVE-2026-27579 PUBLISHED

CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure

Assigner: GitHub_M
Reserved: 20.02.2026 Published: 21.02.2026 Updated: 21.02.2026

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	karnop
Product	realtime-collaboration-platform
Versions	Version <= master is affected

References

https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-qh5m-p8jh-hx88

Problem Types

CWE-346: Origin Validation Error CWE
CWE-942: Permissive Cross-domain Policy with Untrusted Domains CWE