Severity: low 

Affected versions:

- Apache Helix REST (org.apache.helix:helix-rest) through 2.0.0

Description:

Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, 
org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 
on all platforms allows a remote attacker controlling a web page visited by an 
authorized user to read responses from and issue cross-origin requests to 
administrative REST endpoints via a cross-origin request from an arbitrary 
origin, since the filter unconditionally returns Access-Control-Allow-Origin: * 
together with Access-Control-Allow-Credentials: true and reflects arbitrary 
Access-Control-Request-Method / Access-Control-Request-Headers values in 
preflight responses. Users are recommended to upgrade to version 2.0.1, which 
fixes this issue.

Credit:

Aastha Aggarwal (reporter)

References:

https://helix.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-57111

Reply via email to