Description
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-origin data exposure
Action: Patch
AI Analysis

Impact

A flaw in vanna up to version 2.0.2 allows manipulation of its FastAPI/Flask server configuration, resulting in a permissive CORS policy that permits untrusted domains. This can enable malicious web origins to access the API and sensitive data, leading to potential data leakage or unauthorized interactions.

Affected Systems

All installations of vanna containing the FastAPI/Flask server component through version 2.0.2 are affected. No other product versions are mentioned.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk; the flaw is exploitable remotely with no local access required. The vulnerability has published exploits, implying it can be triggered from an external network. Attackers likely exploit it by sending specially crafted requests that configure the server to allow cross-origin requests from arbitrary domains.

Generated by OpenCVE AI on April 2, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check vanna release notes or the vendor’s website for a patched version that fixes the CORS issue; apply the upgrade if available.
  • If no updated package exists, modify the FastAPI/Flask configuration to disallow wildcard origins by setting a strict list of allowed origins or removing the permissive policy.
  • Add validation of the Origin header to ensure only trusted domains can receive responses, rejecting any requests with untrusted origins.
  • Restrict network exposure of the affected endpoints by implementing firewalls or network segmentation to limit access to trusted networks.
  • Monitor application logs for unusual cross-origin requests and investigate any suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Vanna-ai
Vanna-ai vanna
Vendors & Products Vanna-ai
Vanna-ai vanna
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title vanna-ai vanna FastAPI/Flask Server cross-domain policy
Weaknesses CWE-346
CWE-942
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vanna-ai Vanna
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T18:30:05.222Z

Reserved: 2026-04-01T13:00:12.749Z

Link: CVE-2026-5321

cve-icon Vulnrichment

Updated: 2026-04-02T18:29:58.495Z

cve-icon NVD

Status : Received

Published: 2026-04-02T05:16:05.010

Modified: 2026-04-02T05:16:05.010

Link: CVE-2026-5321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:21Z

Weaknesses