{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/849433#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nAdalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2.  Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate.\r\n### Description\r\nAdalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations.\r\n\r\n**CVE-2026-10706** Unrestricted Disclosure of Full User Records\r\nThe Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible.\r\n\r\n**CVE-2026-10708** Exposure and Reuse of Long-Lived JWT Tokens\r\nThe JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the application itself. The combination of exposed tokens, permissive CORS behavior, and large response limits enables persistent, automated harvesting of entire user databases using only a single token obtained from any visitor session.\r\n### Impact\r\nThese vulnerabilities affect all Adalo applications across both V1 and V2. Because they occur at the platform level, the entire population of Adalo‑built applications is impacted.\r\n\r\n**Exposure of Sensitive Information to an Unauthorized attacker** (CVE-2026-10706) Attackers may extract full user records and correlate user behavior across multiple applications via `dbId` enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.\r\n \r\n**Insufficiently Protected Credentials** (CVE-2026-10708) This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.\r\n\r\n### Solution\r\nAdalo contains an access control weakness that may allow unauthorized users to bypass application boundaries under certain conditions. Adalo has acknowledged the issue, however, no patch is currently available. Customers and tenants should assume data in Adalo collections may be exposed, and avoid storing sensitive information there until a patch is deployed. Users should remain aware of increased phishing and identity theft risks and monitor their accounts for suspicious activity. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Saud Darwish. This document was written by Laurie Tyzenhaus.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/849433"}],"title":"Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls","tracking":{"current_release_date":"2026-07-08T14:03:42+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#849433","initial_release_date":"2026-07-08 14:03:42.804075+00:00","revision_history":[{"date":"2026-07-08T14:03:42+00:00","number":"1.20260708140342.1","summary":"Released on 2026-07-08T14:03:42+00:00"}],"status":"final","version":"1.20260708140342.1"}},"vulnerabilities":[{"title":"In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration.","notes":[{"category":"summary","text":"In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties."}],"cve":"CVE-2026-10706","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#849433"}]},{"title":"This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets.","notes":[{"category":"summary","text":"This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application."}],"cve":"CVE-2026-10708","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#849433"}]}],"product_tree":{"branches":[]}}