Data Harvesting Vulnerability in Adalo Applications
CVE-2026-10708
Currently unrated
What is CVE-2026-10708?
A vulnerability in Adalo applications permits large-scale data harvesting without the need for app-specific secrets. An attacker can exploit a minimal leaderboard component to gain access to sensitive user information, including emails, UUIDs, and custom fields, through a single request. This is facilitated by a combination of wildcard CORS behavior, persistent JWTs with a lifespan of twenty days, and a lack of token revocation mechanisms, allowing unauthorized access to personal information across affected applications.
Affected Version(s)
App Builder 1 <= 2
