- Severity
- Critical · CVSS 8.6
- Target
- European B2B SaaS Company
- Date
- 2026-02
- Category
- CORS Misconfiguration / Cross-Origin Data Theft
CORS Reflection with Credentials on Business API
The primary business API reflected any Origin header with Access-Control-Allow-Credentials: true. Combined with a publicly accessible API specification, any malicious website could silently read authenticated users' business data including orders, invoices, quotations, and company information.
Attack Chain
Step 1: Arbitrary origin reflected with credentials
The API reflected any Origin header and set Allow-Credentials: true.
Step 2: Full API specification publicly accessible
Complete API specification documenting every endpoint, parameter, and auth scheme: no authentication required.
Step 3: Cross-origin data theft PoC
JavaScript on any website could silently read all business data for authenticated users.
What Scanners Would Miss
CORS scanners flag origin reflection. They don't chain it with a public API spec to understand that an attacker gets a complete blueprint for data exfiltration.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.