PT-2026-32134 · Pypi · Openssl-Encrypt
Published
2026-04-01
·
Updated
2026-04-01
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Summary
Both standalone servers configure CORS with
allow origins=["*"], allow credentials=True, allow methods=["*"], and allow headers=["*"].Affected Code
python
# server/key-server/app/main.py:86-92
# server/telemetry-server/app/main.py:23-29
app.add middleware(
CORSMiddleware,
allow origins=settings.cors origins, # defaults to ["*"]
allow credentials=True,
allow methods=["*"],
allow headers=["*"],
)The docker-compose file (
openssl encrypt server/docker-compose.yml:75) also defaults CORS ORIGINS to *, and .env.example ships with CORS ORIGINS=*.Impact
This is the most permissive CORS configuration possible, allowing any website to make fully credentialed cross-origin requests to the API. An attacker's website could make authenticated API calls on behalf of any user who visits it.
Recommended Fix
- Remove wildcard defaults — require explicit origin configuration
- Never combine
allow origins=["*"]withallow credentials=True - Update
.env.examplewith placeholder domains instead of*
Fix
Fixed in commit
809416b on branch releases/1.4.x — changed CORS default from ["*"] to [] in both key-server and telemetry-server; added validation rejecting wildcard when debug=False.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openssl-Encrypt