CVE-2026-30924
Published: 19 March 2026
Summary
CVE-2026-30924 is a critical-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Getqui Qui. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure baseline configuration settings for web servers, directly preventing the permissive CORS policy by enforcing restrictive origin validation and credential controls.
Enforces strict information flow control policies across system boundaries, blocking unauthorized cross-origin authenticated requests enabled by the reflective arbitrary origins.
Requires identification, reporting, and correction of the specific CORS misconfiguration flaw, eliminating the vulnerability to prevent exploitation via malicious webpages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CORS misconfiguration directly enables cross-origin authenticated API abuse against the web UI (T1190 Exploit Public-Facing Application); exploitation requires targeted social-engineering to load attacker page (T1566.002 Spearphishing Link), after which session abuse yields data exfil and code execution via External Programs.
NVD Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a…
more
logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Deeper analysisAI
CVE-2026-30924 is a cross-origin resource sharing (CORS) misconfiguration vulnerability affecting qui, a web interface for managing qBittorrent instances, in versions 1.14.1 and below. The issue arises from a permissive CORS policy that reflects arbitrary origins in responses while also setting Access-Control-Allow-Credentials: true. This configuration allows any external webpage to make authenticated requests on behalf of a logged-in user, bypassing same-origin restrictions.
Attackers can exploit the vulnerability without privileges by tricking a victim into loading an attacker-controlled webpage, provided the victim accesses qui via a non-localhost hostname. The malicious page can then silently leverage the victim's existing session to interact with qui, exfiltrating sensitive data such as API keys and account credentials, or achieving full system compromise via the built-in External Programs manager. Exploitation relies on user interaction through highly targeted social-engineering attacks and carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), mapped to CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).
The GitHub security advisory (GHSA-h8vw-ph9r-xpch) and commit 424f7a0de089dce881e8bbecd220163a78e0295f in the autobrr/qui repository document the vulnerability. This issue was not fixed at the time of publication on 2026-03-19.
Details
- CWE(s)