Description
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Published: 2026-05-14
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MagicMirror² has a server‑side request forgery vulnerability in its /cors endpoint that lets an unauthenticated attacker send arbitrary HTTP requests to internal IP ranges, cloud metadata services, and localhost. The endpoint also expands environment variable placeholders, providing a path for the exfiltration of server‑side secrets. This flaw is a classic instance of CWE‑918 and can be leveraged to reach services that should be isolated from the internet.

Affected Systems

All installations of MagicMirrorOrg MagicMirror running a version older than 2.36.0 are affected. Any deployment that has not yet applied the 2.36.0 patch is vulnerable.

Risk and Exploitability

The vulnerability scores a 9.2 on the CVSS scale, indicating critical severity. Although the EPSS score is not available, the lack of authentication coupled with the direct exposure of an endpoint that can hit any URL makes exploitation likely from remote attackers. The flaw is not listed in the CISA KEV catalog, but its impact is still significant due to the potential to access sensitive internal hosts and credentials.

Generated by OpenCVE AI on May 14, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MagicMirror to version 2.36.0 or later.
  • If an upgrade is not immediately feasible, block or restrict the /cors endpoint by using firewall or ingress rules to limit access to trusted network hosts only.
  • In the interim, ensure that environment variables are not exposed through the endpoint by disabling or sanitizing placeholder expansion in the configuration.

Generated by OpenCVE AI on May 14, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph6f-2cvq-79hq MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Magicmirrororg
Magicmirrororg magicmirror
Vendors & Products Magicmirrororg
Magicmirrororg magicmirror

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Title MagicMirror²: Unauthenticated SSRF via /cors endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Magicmirrororg Magicmirror
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:51:14.186Z

Reserved: 2026-04-26T12:13:55.550Z

Link: CVE-2026-42281

cve-icon Vulnrichment

Updated: 2026-05-14T18:10:12.010Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:21.200

Modified: 2026-05-14T20:17:04.560

Link: CVE-2026-42281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:21:14Z

Weaknesses