Severity
Critical · CVSS 8.6
Target
European B2B SaaS Company
Date
2026-02
Category
CORS Misconfiguration / Cross-Origin Data Theft

CORS Reflection with Credentials on Business API

The primary business API reflected any Origin header with Access-Control-Allow-Credentials: true. Combined with a publicly accessible API specification, any malicious website could silently read authenticated users' business data including orders, invoices, quotations, and company information.

Attack Chain

    Step 1: Arbitrary origin reflected with credentials

    The API reflected any Origin header and set Allow-Credentials: true.

    Step 2: Full API specification publicly accessible

    Complete API specification documenting every endpoint, parameter, and auth scheme: no authentication required.

    Step 3: Cross-origin data theft PoC

    JavaScript on any website could silently read all business data for authenticated users.

What Scanners Would Miss

CORS scanners flag origin reflection. They don't chain it with a public API spec to understand that an attacker gets a complete blueprint for data exfiltration.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.