Permissive CORS Vulnerability in Apache Helix REST API
CVE-2026-57111
Currently unrated
What is CVE-2026-57111?
A permissive Cross-Origin Resource Sharing (CORS) configuration in the Apache Helix REST API allows attackers to exploit cross-origin requests. By controlling a web page visited by a legitimate user, an attacker can read responses from and send requests to sensitive administrative REST endpoints. This vulnerability arises from the unrestrained return of Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true, alongside the reflection of arbitrary Access-Control-Request-Method and Access-Control-Request-Headers values in preflight responses. It is critical for users to upgrade to version 2.0.1 to mitigate this issue.
Affected Version(s)
Apache Helix REST 0 <= 2.0.0