CollabPlatform: Malicious Sites Can Access User Account Info

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.4

CollabPlatform: Malicious Sites Can Access User Account Info

CVE-2026-27579

Summary

CollabPlatform's collaboration platform allows a malicious website to access user account information, including email address, account identifiers, and MFA status. This is due to a misconfiguration in the Appwrite project, which allows any website to make authenticated requests on behalf of users. Users and administrators should be cautious when using the platform and consider implementing additional security measures to protect user data.

Original title

Original description

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.

nvd CVSS3.1 7.4

Vulnerability type

CWE-346

CWE-942

https://github.com/karnop/realtime-collaboration-platform/security/advisories/GH...

Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026