EXECUTIVE SUMMARY:
CVE-2026-42281 with a CVSS score of 9.0 is a critical Server-Side Request Forgery (SSRF) vulnerability in the MagicMirror² server, specifically in the `/cors` endpoint. This endpoint, which is affected in versions of magicmirror less than or equal to 2.35.0, acts as an open HTTP proxy with no authentication and no URL validation, allowing any remote attacker to force the server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. An attacker can exploit this vulnerability by sending a GET request to the `/cors` endpoint with a malicious URL, which the server will then fetch and return to the caller. The vulnerability also enables the exfiltration of server-side secrets through the expansion of environment variable placeholders in the URL. If exploited, this vulnerability can lead to the full compromise of cloud instance credentials, internal network access, and secret exfiltration, resulting in significant business impact and consequences, including but not limited to, lateral movement within the cloud account, exposure of sensitive configuration, and unauthorized access to internal services.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42281 with a CVSS score of 9.0 is a critical Server-Side Request Forgery (SSRF) vulnerability in the MagicMirror² server, specifically in the `/cors` endpoint. This endpoint, which is affected in versions of magicmirror less than or equal to 2.35.0, acts as an open HTTP proxy with no authentication and no URL validation, allowing any remote attacker to force the server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. An attacker can exploit this vulnerability by sending a GET request to the `/cors` endpoint with a malicious URL, which the server will then fetch and return to the caller. The vulnerability also enables the exfiltration of server-side secrets through the expansion of environment variable placeholders in the URL. If exploited, this vulnerability can lead to the full compromise of cloud instance credentials, internal network access, and secret exfiltration, resulting in significant business impact and consequences, including but not limited to, lateral movement within the cloud account, exposure of sensitive configuration, and unauthorized access to internal services.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update MagicMirror to version 2.36.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-ph6f-2cvq-79hq