CVE-2026-54753 - Vulnerability Details

- Nx: `nx graph` dev server permissive CORS policy

Description

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.

Published: 2026-06-26

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The local HTTP server started by nx graph sent the header Access-Control-Allow-Origin: * on every response, allowing any website a developer visited to read the server’s responses cross‑origin. The exposed data includes the full project graph and the output of the /help endpoint, which may execute configured help commands. This flaw primarily leads to cross‑origin information disclosure and, in very rare cases, could enable arbitrary command injection. The vulnerability is rooted in issues categorized as CWE‑749 and CWE‑942.

Affected Systems

Products: Nrwl Nx – a monorepo solution for TypeScript and polyglot codebases. Affected Nx versions range from 17.0.4 through 22.7.2 and also include the 23.0.0‑beta.2 release. Developers using these versions of Nx and running the local graph dev server are potentially impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack conditions require the developer to run nx graph locally and then access a malicious web page while the dev server is active; the permissive CORS header then allows the attacker’s site to read the server’s responses. Because the attack surface is tied to local development and requires the developer to be online, the probability of exploitation is moderate, but using the exposed project graph data could aid further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nrwl

affected

Version	Status	Constraints
`>= 17.0.4, < 22.7.2`	affected	—
`>= 23.0.0-beta.0, < 23.0.0-beta.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Nx to version 22.7.2 or newer, including 23.0.0‑beta.2 to apply the vendor bug fix
If an immediate upgrade is not possible, restrict network exposure of the nx graph dev server by configuring a firewall or host‑based rules to allow connections only from the local machine
Limit the time the nx graph server is run and avoid browsing untrusted external sites while the dev server is active to reduce the window for cross‑origin attacks

Generated by OpenCVE AI on June 26, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00812.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nrwl/nx/pull/35494
https://github.com/nrwl/nx/security/advisories/GHSA-g2r8-wvmj-jf5w

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
Title		Nx: `nx graph` dev server permissive CORS policy
Weaknesses		CWE-749 CWE-942
References		https://github.com/nrwl/nx/pull/35494 https://github.com/nrwl/nx/security/advisories/GHSA-g2r8-wvmj-jf5w
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T18:13:34.371Z

Updated: 2026-06-26T19:09:33.257Z

Reserved: 2026-06-15T23:12:41.965Z

Link: CVE-2026-54753

Vulnrichment

Updated: 2026-06-26T19:09:25.959Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses

CWE-749
Exposed Dangerous Method or Function
CWE-942
Permissive Cross-domain Security Policy with Untrusted Domains

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object