CVE-2026-6662

High

Published: 20 April 2026

Published

20 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0002 6.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6662 is a high-severity Origin Validation Error (CWE-346) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-46 Cross Domain Policy Enforcement good match

prevent

Enforces cross-domain policies with origin restrictions to directly prevent permissive CORS allowing untrusted domains access to the token endpoint.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow controls based on source origin, mitigating unauthorized cross-origin requests from untrusted domains.

CM-6 Configuration Settings good match

prevent

Establishes and maintains secure configuration settings for the CORS function in src/server.ts to restrict untrusted domains.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a permissive CORS misconfiguration in a public-facing Token Endpoint API, directly enabling remote exploitation of the web application by allowing cross-origin requests from untrusted domains.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible…

to initiate the attack remotely. The exploit has been made public and could be used.

Deeper analysisAI

CVE-2026-6662 is a vulnerability in ericc-ch copilot-api versions up to 0.7.0, specifically affecting the CORS function in the src/server.ts file of the Token Endpoint component. The issue results in a permissive cross-domain policy that allows untrusted domains, stemming from CWE-346 (Origin Validation Error) and CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). Published on 2026-04-20T17:16:39.647, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Any unauthenticated attacker with network access can exploit this vulnerability remotely by manipulating the CORS policy. Successful exploitation enables cross-origin requests from untrusted domains, potentially compromising low levels of confidentiality, integrity, and availability. The exploit has been made public and could be used in attacks.

Advisories and related details are documented in the following references: https://github.com/August829/CVEP/issues/31, https://vuldb.com/submit/794601, https://vuldb.com/vuln/358300, and https://vuldb.com/vuln/358300/cti. No specific patch or mitigation steps are detailed in the available information.