Description
Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized access to user data
Action: Patch immediately
AI Analysis

Impact

This vulnerability arises from insufficient validation of Chrome extension identifiers in the Raindrop.io Bookmark Manager Web App version 5.6.76.0, permitting attackers to craft requests that retrieve sensitive user data. The weakness is an improper input validation that allows access to private bookmark information and other confidential data normally restricted to authenticated users. The potential impact is the exposure of private user data, leading to privacy violations and possible credential theft.

Affected Systems

The affected system is the Raindrop.io Bookmark Manager Web App version 5.6.76.0. No additional vendor or product versions are enumerated in the available data.

Risk and Exploitability

The absence of proper validation on the Chrome extension identifier enables attackers to forge requests and pull data from the web application. Because the exploit requires only the ability to send an HTTP request with a crafted extension identifier, it could be performed from a malicious browser extension or a malicious site. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Nonetheless, the potential for private data exposure warrants a high security posture and prompt remediation.

Generated by OpenCVE AI on April 22, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Raindrop.io Bookmark Manager Web App where the issue has been fixed
  • If an immediate upgrade is not possible, block or restrict the endpoint that accepts Chrome extension identifiers by allowing only whitelisted IDs through a firewall or proxy rule
  • Enforce strict server‑side validation so the extension identifier matches a known, allowed set before processing any request
  • Regularly audit application logs for abnormal requests to the extension identifier endpoint and investigate any suspicious activity

Generated by OpenCVE AI on April 22, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Chrome Extension Identifiers Leading to Sensitive Data Exposure
Weaknesses CWE-285

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T18:20:21.206Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31192

cve-icon Vulnrichment

Updated: 2026-04-22T18:17:52.476Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:36.420

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-31192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses