CVE-2026-42281: CWE-918: Server-Side Request Forgery (SSRF) in MagicMirrorOrg MagicMirror
MagicMirror² versions prior to 2. 36. 0 contain a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint. This flaw allows remote attackers to make the server perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost. Additionally, the endpoint expands environment variable placeholders, which can lead to exfiltration of server-side secrets. The vulnerability is fixed in version 2. 36. 0. The CVSS 4. 0 base score is 9.
AI Analysis
Technical Summary
CVE-2026-42281 is a critical SSRF vulnerability (CWE-918) in MagicMirror², an open source modular smart mirror platform. The vulnerability exists in the /cors endpoint prior to version 2.36.0, allowing unauthenticated remote attackers to coerce the server into making arbitrary HTTP requests to internal and localhost services, including cloud metadata endpoints. The endpoint also processes environment variable placeholders, enabling attackers to extract sensitive server-side secrets. This vulnerability has a CVSS 4.0 score of 9.2 (critical). The issue is resolved in MagicMirror² version 2.36.0.
Potential Impact
Exploitation of this vulnerability can lead to unauthorized internal network scanning, access to cloud metadata services potentially exposing credentials or tokens, and leakage of server environment variables containing secrets. This can compromise confidentiality and potentially facilitate further attacks within the internal network or cloud environment. The vulnerability is unauthenticated and remotely exploitable, increasing its risk.
Mitigation Recommendations
A fix for this vulnerability is available in MagicMirror² version 2.36.0. Users should upgrade to version 2.36.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory content provided, but the description confirms the vulnerability is fixed in 2.36.0. Until upgrading, restrict access to the MagicMirror server to trusted networks to reduce exposure.
CVE-2026-42281: CWE-918: Server-Side Request Forgery (SSRF) in MagicMirrorOrg MagicMirror
Description
MagicMirror² versions prior to 2. 36. 0 contain a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint. This flaw allows remote attackers to make the server perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost. Additionally, the endpoint expands environment variable placeholders, which can lead to exfiltration of server-side secrets. The vulnerability is fixed in version 2. 36. 0. The CVSS 4. 0 base score is 9.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42281 is a critical SSRF vulnerability (CWE-918) in MagicMirror², an open source modular smart mirror platform. The vulnerability exists in the /cors endpoint prior to version 2.36.0, allowing unauthenticated remote attackers to coerce the server into making arbitrary HTTP requests to internal and localhost services, including cloud metadata endpoints. The endpoint also processes environment variable placeholders, enabling attackers to extract sensitive server-side secrets. This vulnerability has a CVSS 4.0 score of 9.2 (critical). The issue is resolved in MagicMirror² version 2.36.0.
Potential Impact
Exploitation of this vulnerability can lead to unauthorized internal network scanning, access to cloud metadata services potentially exposing credentials or tokens, and leakage of server environment variables containing secrets. This can compromise confidentiality and potentially facilitate further attacks within the internal network or cloud environment. The vulnerability is unauthenticated and remotely exploitable, increasing its risk.
Mitigation Recommendations
A fix for this vulnerability is available in MagicMirror² version 2.36.0. Users should upgrade to version 2.36.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory content provided, but the description confirms the vulnerability is fixed in 2.36.0. Until upgrading, restrict access to the MagicMirror server to trusted networks to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:13:55.550Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05f312ec166c07b0f45c96
Added to database: 5/14/2026, 4:06:42 PM
Last enriched: 5/14/2026, 4:21:51 PM
Last updated: 5/14/2026, 5:09:14 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.