danswer-ai Danswer CORS Misconfiguration Vulnerability Allowing Data Theft

Vulnerability

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability has been identified in danswer-ai/danswer version 1.4.1. This vulnerability allows attackers to steal sensitive information, including chat contents, API keys, and other data. The issue arises from improper validation of the origin header, which enables malicious web pages to make unauthorized requests to the application's API.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information such as chat contents and API keys.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

danswer-ai Danswer CORS Misconfiguration Vulnerability Allowing Data Theft

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating