CVE-2026-42281 - Vulnerability Analysis

Overview

MagicMirror <= 2.35.0 contains a server-side request forgery vulnerability in the /cors endpoint, allowing unauthenticated attackers to make arbitrary HTTP requests and exfiltrate server-side secrets via environment variable expansion.

Severity & Score

Impact

A remote unauthenticated attacker can force the MagicMirror server to request localhost, internal network, and cloud metadata endpoints. In affected configurations, the endpoint can return server-side responses to the attacker.

Mitigation

Upgrade MagicMirror to version 2.36.0 or later.

References

• https://github.com/advisories/GHSA-ph6f-2cvq-79hq
• https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvq-79hq
• https://github.com/MagicMirrorOrg/MagicMirror/releases/tag/v2.36.0
• https://osv.dev/vulnerability/GHSA-ph6f-2cvq-79hq

Social Media Activity(2 posts)

OffSequence

@offseq

May 14, 2026

🚨 CVE-2026-42281: CRITICAL SSRF in MagicMirror² (<2.36.0)! /cors endpoint lets unauthenticated attackers scan internal networks & exfiltrate environment secrets. Upgrade to 2.36.0+ now! https://radar.offseq.com/threat/cve-2026-42281-cwe-918-server-side-request-forgery-3c9e7191 #OffSeq #SSRF #MagicMirror #Vuln

View original post

OffSequence

@offseq

May 14, 2026

🚨 CVE-2026-42281: CRITICAL SSRF in MagicMirror² (<2.36.0)! /cors endpoint lets unauthenticated attackers scan internal networks & exfiltrate environment secrets. Upgrade to 2.36.0+ now! https://radar.offseq.com/threat/cve-2026-42281-cwe-918-server-side-request-forgery-3c9e7191 #OffSeq #SSRF #MagicMirror #Vuln

View original post

GitHub Repositories(1 repo)

• https://github.com/Astaruf/CVE-2026-42281

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner