Unauthenticated Server-Side Request Forgery in MagicMirror² by MagicMirrorOrg
CVE-2026-42281

9.2CRITICAL

Key Information:

Vendor: Magicmirrororg
Status: Magicmirror
Vendor: CVE Published:; 14 May 2026

🔔 Create Magicmirrororg Vulnerability Alert

What is CVE-2026-42281?

MagicMirror², an open-source smart mirror platform, contains a vulnerability in the /cors endpoint that allows unauthenticated attackers to exploit the system. By leveraging this flaw, attackers can force the server to make arbitrary HTTP requests to internal networks, exposing sensitive information and facilitating unauthorized access to cloud metadata services and localhost resources. Additionally, the endpoint's ability to expand environment variable placeholders poses a risk of secret information exfiltration. The vulnerability has been addressed in version 2.36.0.

Affected Version(s)

MagicMirror < 2.36.0

References

https://github.com/MagicMirrorOrg/MagicMirror/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42281 Data

JSON