In all versions of CollabPlatform, the Appwrite project that powers the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. Because of this, an attacker‑controlled domain can issue authenticated cross‑origin requests and read sensitive user account information, such as email addresses, account identifiers, and MFA status. The flaw is a classic CORS bypass that results in authenticated account data exposure (CWE‑346 and CWE‑942).

The vulnerability affects every instance of CollabPlatform, a full‑stack, real‑time document collaboration platform provided by karnop. All released versions are impacted because the underlying Appwrite project uses a default CORS configuration that allows any origin. No specific version range is supplied, indicating universal exposure across all product releases.

The CVSS score of 7.4 indicates a high likelihood of serious consequences if exploited. However, the EPSS score is listed as less than 1 %, reflecting a low current probability of exploitation, and the vulnerability is not present in CISA's KEV catalog. The attack requires an attacker‑controlled domain and a user who is already authenticated to the platform. Once those conditions are met, the attacker can harvest sensitive account data through cross‑origin requests, potentially leading to credential compromise or further account‑takeover attacks. Therefore, while exploitation currently appears uncommon, the exposed data and lack of a publicly available fix make this a risk that should be mitigated promptly.