CVE-2024-8026
Published: 20 March 2025
Summary
CVE-2024-8026 is a high-severity CSRF (CWE-352) vulnerability in Qanything Qanything. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2024-8026 is a Cross-Site Request Forgery (CSRF) vulnerability in the backend API of netease-youdao/qanything, present as of commit d9ab8bc. The issue arises from overly permissive CORS headers on the backend server, which allow all cross-origin calls. This affects all backend endpoints, enabling unauthorized actions such as creating, uploading, listing, deleting files, and managing knowledge bases. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and maps to CWE-352.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L), but it requires user interaction (UI:R), such as tricking a victim into visiting a malicious site while authenticated to the backend. Exploitation allows the attacker to perform actions on the victim's behalf across all endpoints, resulting in high integrity (I:H) and availability (A:H) impacts, including arbitrary file operations and knowledge base modifications, with no direct confidentiality loss (C:N).
Mitigation guidance is available in the Huntr.com advisory at https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274, where the vulnerability was reported. Security practitioners should consult this reference for patch details or recommended fixes, such as restricting CORS headers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6914
Vulnerability details
A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,…
more
uploading, listing, deleting files, and managing knowledge bases.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF with permissive CORS enables cross-origin exploitation (T1190) of backend API for file/knowledge base operations, facilitating file discovery (T1083), data collection from repositories like knowledge bases (T1213), file deletion (T1070.004), and stored data manipulation via upload/create (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow control policies that restrict cross-origin requests to authorized origins only, directly mitigating the permissive CORS headers allowing all cross-origin API calls.
Monitors and controls communications at system boundaries to block unauthorized cross-origin requests exploiting permissive CORS on backend endpoints.
Establishes and enforces secure configuration settings for CORS headers, preventing overly permissive cross-origin access to all backend API endpoints.