CVE-2026-10708 in App Builderinfo

Summary

by MITRE • 07/08/2026

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability represents a critical security flaw that enables unauthorized large-scale data harvesting across Adalo applications through a seemingly innocuous leaderboard component. The issue stems from improper access control mechanisms that allow attackers to extract user records containing sensitive information including email addresses, universally unique identifiers, and custom application-specific fields. The attack vector exploits a combination of weak CORS (Cross-Origin Resource Sharing) configuration that permits wildcard domain access, coupled with long-lived authentication tokens that remain valid for twenty days without any mechanism for token revocation or rotation.

The technical implementation of this vulnerability demonstrates poor security practices in token management and resource access control. JWT tokens with extended validity periods create persistent attack surfaces where compromised credentials can be leveraged over extended timeframes without requiring additional authentication steps. The wildcard CORS configuration eliminates proper origin validation, allowing any domain to make requests to the vulnerable endpoint, effectively removing the browser-based security boundary that typically protects against cross-site request forgery attacks. This combination of factors creates a scenario where attackers can systematically harvest user data from multiple applications without needing application-specific secrets or individual user credentials for each target.

The operational impact of this vulnerability extends far beyond simple data exposure, creating significant risks for user privacy and organizational security posture. Attackers can aggregate personal information across numerous Adalo applications, potentially enabling identity theft, social engineering attacks, and targeted phishing campaigns. The absence of token revocation mechanisms means that even if individual tokens are compromised, administrators cannot immediately invalidate them, prolonging the window of opportunity for malicious actors to exploit the vulnerability. This type of vulnerability aligns with CWE-285 (Improper Authorization) and CWE-346 (Origin Validation Error), while also demonstrating characteristics of ATT&CK technique T1566 (Phishing) through the potential for harvested credentials to be used in further attacks.

Organizations should implement immediate mitigations including strict CORS policy enforcement with specific allowed origins rather than wildcard configurations, implementation of short-lived JWT tokens with automatic rotation capabilities, and establishment of token revocation mechanisms. Security teams must also conduct comprehensive audits of all API endpoints to identify similar vulnerabilities and ensure proper access control mechanisms are in place. The vulnerability highlights the importance of following security best practices such as the principle of least privilege, regular security assessments, and implementing defense-in-depth strategies that protect against multiple attack vectors simultaneously. Organizations should also consider implementing rate limiting and monitoring mechanisms to detect unusual data access patterns that may indicate exploitation attempts.

Responsible

Certcc

Reservation

06/02/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!