Cyber Resilience

CVE-2026-42281

CriticalPublic PoC

Published: 14 May 2026

Published
14 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0162 73.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42281 is a critical-severity SSRF (CWE-918) vulnerability in Magicmirror Magicmirror. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

MagicMirror² is an open source modular smart mirror platform affected by an unauthenticated Server-Side Request Forgery vulnerability tracked as CVE-2026-42281. The flaw resides in the /cors endpoint in all versions prior to 2.36.0 and is classified under CWE-918. It permits arbitrary HTTP requests while also expanding environment-variable placeholders in the form **VAR_NAME**, which can expose server-side secrets.

Any remote attacker can exploit the issue without authentication to reach internal networks, cloud metadata endpoints, and localhost services, achieving high-impact information disclosure as reflected in the CVSS 9.2 score. The same requests can be used to exfiltrate environment variables that may contain credentials or other sensitive configuration data.

The vulnerability is fixed in MagicMirror² version 2.36.0 according to the published GitHub Security Advisory. The EPSS score remains at 0.0326 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks,…

more

cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

Unauthenticated SSRF on public /cors endpoint directly enables T1190; explicit support for cloud metadata service requests enables T1552.005 credential exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2025-50180Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-42595Shared CWE-918
CVE-2025-8085Shared CWE-918
CVE-2026-31017Shared CWE-918

Affected Assets

magicmirror
magicmirror
≤ 2.36.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authorization checks on the /cors endpoint so unauthenticated remote attackers cannot initiate arbitrary SSRF requests.

prevent

Requires validation of the user-supplied URL (and **VAR_NAME** expansion) to block requests to internal, localhost, or metadata endpoints.

prevent

Enforces information-flow policy that denies server-initiated requests from reaching internal networks or cloud metadata services.

References