Permissive CORS Vulnerability in Apache Helix REST API
CVE-2026-57111

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
9 July 2026

What is CVE-2026-57111?

A permissive Cross-Origin Resource Sharing (CORS) configuration in the Apache Helix REST API allows attackers to exploit cross-origin requests. By controlling a web page visited by a legitimate user, an attacker can read responses from and send requests to sensitive administrative REST endpoints. This vulnerability arises from the unrestrained return of Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true, alongside the reflection of arbitrary Access-Control-Request-Method and Access-Control-Request-Headers values in preflight responses. It is critical for users to upgrade to version 2.0.1 to mitigate this issue.

Affected Version(s)

Apache Helix REST 0 <= 2.0.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aastha Aggarwal (https://github.com/Aastha2602)
.