Description
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Published: 2026-05-14
Score: 9.2 Critical
EPSS: 3.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MagicMirror² has a server‑side request forgery vulnerability in its /cors endpoint that lets an unauthenticated attacker send arbitrary HTTP requests to internal IP ranges, cloud metadata services, and localhost. The endpoint also expands environment variable placeholders, providing a path for the exfiltration of server‑side secrets. This flaw is a classic instance of CWE‑918 and can be leveraged to reach services that should be isolated from the internet.

Affected Systems

All installations of MagicMirrorOrg MagicMirror running a version older than 2.36.0 are affected. Any deployment that has not yet applied the 2.36.0 patch is vulnerable.

Risk and Exploitability

The vulnerability scores a 9.2 on the CVSS scale, indicating critical severity. The EPSS score of 3% indicates a moderate likelihood of exploitation, and combined with the lack of authentication and a direct endpoint that can hit any URL, makes exploitation likely from remote attackers. The flaw is not listed in the CISA KEV catalog, but its impact is still significant due to the potential to access sensitive internal hosts and credentials.

Generated by OpenCVE AI on May 22, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MagicMirror to version 2.36.0 or later.
  • If an upgrade is not immediately feasible, block or restrict the /cors endpoint by using firewall or ingress rules to limit access to trusted network hosts only.
  • In the interim, ensure that environment variables are not exposed through the endpoint by disabling or sanitizing placeholder expansion in the configuration.

Generated by OpenCVE AI on May 22, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph6f-2cvq-79hq MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
History

Thu, 21 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Magicmirror
Magicmirror magicmirror
CPEs cpe:2.3:a:magicmirror:magicmirror:*:*:*:*:*:node.js:*:*
Vendors & Products Magicmirror
Magicmirror magicmirror
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Magicmirrororg
Magicmirrororg magicmirror
Vendors & Products Magicmirrororg
Magicmirrororg magicmirror

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Title MagicMirror²: Unauthenticated SSRF via /cors endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Magicmirror Magicmirror
Magicmirrororg Magicmirror
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:51:14.186Z

Reserved: 2026-04-26T12:13:55.550Z

Link: CVE-2026-42281

cve-icon Vulnrichment

Updated: 2026-05-14T18:10:12.010Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T16:16:21.200

Modified: 2026-05-21T20:12:03.110

Link: CVE-2026-42281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses