CVE-2025-55462 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability found in Eramba Community and Enterprise Editions version 3.26.0. The vulnerability arises because the application reflects the Origin header from incoming requests directly into the Access-Control-Allow-Origin response header while also setting Access-Control-Allow-Credentials to true. This combination violates CORS security best practices, as it allows malicious third-party websites to make authenticated cross-origin requests to the Eramba API on behalf of logged-in users. Specifically, endpoints such as /system-api/login and /system-api/user/me return sensitive session data including user identifiers, names, email addresses, and access groups. Since the attacker’s JavaScript running in the victim’s browser can read these responses, it enables full session hijacking and data exfiltration without any user interaction or prior authentication. The vulnerability is present in default installations of version 3.26.0 and later, while earlier versions like 3.23.3 and before were tested and found unaffected. The flaw is categorized under CWE-942 (Improper Control of Generation of Code or Configuration) and has a CVSS v3.1 base score of 6.5, indicating a medium severity level. No patches or exploits are currently known, but the risk remains significant due to the sensitive nature of exposed data and the ease of exploitation via malicious websites.

For European organizations using Eramba v3.26.0, this vulnerability poses a significant risk to confidentiality and user session integrity. Attackers can hijack user sessions and access sensitive user information, potentially leading to unauthorized access to governance, risk, and compliance data managed within Eramba. This could result in data breaches, compliance violations (e.g., GDPR), and reputational damage. Since the vulnerability requires no user interaction beyond visiting a malicious website, it increases the attack surface considerably. Organizations relying on Eramba for critical compliance management may face operational disruptions if attackers leverage stolen sessions to manipulate or exfiltrate sensitive data. The medium CVSS score reflects the absence of direct integrity or availability impact but highlights the high confidentiality risk and ease of exploitation.

1. Immediate upgrade to a patched version of Eramba once available; monitor vendor advisories for updates. 2. As a temporary workaround, implement web application firewall (WAF) rules to block or sanitize Origin headers that are not from trusted domains. 3. Restrict CORS policies on the server side to explicitly allow only trusted origins and avoid reflecting arbitrary Origin headers. 4. Disable or limit Access-Control-Allow-Credentials unless strictly necessary and ensure it is only enabled for trusted origins. 5. Conduct internal audits to identify and monitor suspicious cross-origin requests to the Eramba API endpoints. 6. Educate users on avoiding untrusted websites while logged into Eramba to reduce exposure. 7. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts. 8. Review session management policies to detect and invalidate suspicious sessions promptly. 9. Consider network segmentation to isolate Eramba servers from general internet-facing services where feasible.