Cyber Resilience

CVE-2026-27579

High

Published: 21 February 2026

Published
21 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0001 0.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27579 is a high-severity Origin Validation Error (CWE-346) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-27579 is a cross-origin resource sharing (CORS) misconfiguration vulnerability affecting all versions of CollabPlatform, a full-stack real-time document collaboration platform. The issue resides in the Appwrite project used by the application, which is incorrectly set to allow arbitrary origins in CORS responses while also permitting credentialed requests. This enables unauthorized cross-origin access to sensitive data.

Attackers can exploit this vulnerability from any network location without privileges by controlling a malicious domain and tricking an authenticated user into interacting with it, such as via a phishing link (user interaction required). Successful exploitation allows the attacker to issue authenticated cross-origin requests and exfiltrate sensitive user account information from the Appwrite instance, including email addresses, account identifiers, and MFA status. The vulnerability has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), reflecting high confidentiality impact with changed scope.

The GitHub security advisory at https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-qh5m-p8jh-hx88, published on 2026-02-21, states that no fix was available at the time of disclosure. Practitioners should monitor for updates from the CollabPlatform maintainers and consider isolating or reconfiguring Appwrite instances to enforce strict origin policies in the interim.

EU & UK References

Vulnerability details

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated…

more

cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CORS misconfiguration in public-facing CollabPlatform/Appwrite instance directly enables cross-origin authenticated requests; exploitation explicitly requires spearphishing link to lure authenticated user to attacker-controlled origin for data exfil.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30924Shared CWE-942
CVE-2025-34291Shared CWE-346
CVE-2026-32302Shared CWE-346
CVE-2026-6662Shared CWE-346, CWE-942
CVE-2025-1102Shared CWE-346
CVE-2026-6508Shared CWE-346
CVE-2025-9292Shared CWE-942
CVE-2026-41056Shared CWE-942
CVE-2024-22348Shared CWE-942
CVE-2025-21511Shared CWE-346

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces information flow rules between origins, preventing the arbitrary cross-origin credentialed requests that enable exfiltration of Appwrite user data.

prevent

Implements boundary protection mechanisms that restrict unauthorized cross-origin flows to the Appwrite backend, blocking the described CORS misconfiguration.

prevent

Enforces approved access authorizations at the application boundary, which the permissive CORS policy violates to allow unauthenticated cross-origin reads.

References