Data Harvesting Vulnerability in Adalo Applications
CVE-2026-10708

Currently unrated

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-10708?

A vulnerability in Adalo applications permits large-scale data harvesting without the need for app-specific secrets. An attacker can exploit a minimal leaderboard component to gain access to sensitive user information, including emails, UUIDs, and custom fields, through a single request. This is facilitated by a combination of wildcard CORS behavior, persistent JWTs with a lifespan of twenty days, and a lack of token revocation mechanisms, allowing unauthorized access to personal information across affected applications.

Affected Version(s)

App Builder 1 <= 2

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.