CVE-2025-55462 is a security vulnerability stemming from a Cross-Origin Resource Sharing (CORS) misconfiguration in Eramba Community and Enterprise Editions version 3.26.0. The flaw arises because the application reflects the attacker-controlled Origin header in the Access-Control-Allow-Origin response header while simultaneously setting Access-Control-Allow-Credentials to true. This combination violates the fundamental security model of CORS, allowing malicious third-party websites to perform authenticated cross-origin requests against the Eramba API endpoints, including sensitive ones like /system-api/login and /system-api/user/me. The API responses contain sensitive session information such as user ID, name, email, and access groups, which the attacker’s JavaScript can read and exfiltrate. This effectively enables full session hijacking and unauthorized data access without requiring any user interaction or prior authentication bypass. The vulnerability is present in default installations, meaning no special configuration is needed to trigger the flaw. Versions prior to 3.26.0, including 3.23.3 and earlier, have been tested and found not vulnerable. No public exploits have been reported yet, but the ease of exploitation and severity of impact make this a critical threat. The vulnerability was reserved in August 2025 and published in January 2026, with no CVSS score assigned yet.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of sensitive governance, risk, and compliance data managed within Eramba. Attackers can hijack user sessions and access personal and organizational information without user interaction, potentially leading to unauthorized changes, data leakage, and further lateral movement within networks. Given Eramba’s role in managing compliance and risk data, exploitation could undermine regulatory adherence (e.g., GDPR), damage organizational reputation, and expose sensitive internal controls. The default presence of this vulnerability increases the attack surface, especially for organizations that have not updated to patched versions. The lack of user interaction requirement and the ability to exploit via malicious websites make phishing and drive-by attacks viable vectors. The impact on availability is limited but could arise indirectly through compromised accounts and subsequent malicious activity.

Organizations should immediately audit their Eramba installations to determine if they are running version 3.26.0. Until a vendor patch is released, administrators should implement strict CORS policies by configuring the web server or application firewall to whitelist only trusted origins and disable Access-Control-Allow-Credentials where not necessary. Employing Content Security Policy (CSP) headers to restrict script sources can reduce the risk of malicious JavaScript execution. Monitoring API access logs for unusual cross-origin requests and anomalous user activity is advised. Users should be educated about the risks of visiting untrusted websites while authenticated to Eramba. Once available, promptly apply official patches from Eramba. Additionally, consider implementing multi-factor authentication (MFA) to reduce the impact of session hijacking. Network segmentation and limiting API exposure to internal networks can further reduce risk.