CVE-2026-57111
Apache Software Foundation · Apache Helix REST
Permissive CORS configuration in Apache Helix REST API allows remote attackers to read responses from and issue cross-origin requests to administrative endpoints.
Executive summary
A high-severity CORS vulnerability in Apache Helix REST API allows unauthorized remote access to administrative endpoints, potentially exposing sensitive system information.
Vulnerability
The vulnerability exists in the 'CORSFilter' component, which unconditionally returns 'Access-Control-Allow-Origin: *' with 'Access-Control-Allow-Credentials: true'. This allows an unauthenticated remote attacker to bypass origin protections when an authorized user visits a malicious page.
Business impact
The CVSS score of 7.5 highlights the potential for unauthorized data access. By exploiting this, an attacker can perform cross-origin requests to administrative REST endpoints, potentially leading to the unauthorized disclosure of sensitive configuration or state information, which significantly undermines the security posture of the Helix cluster.
Remediation
Immediate Action: Upgrade Apache Helix REST to version 2.0.1 or later to ensure the CORS filter is correctly configured to use specific trusted origins.
Proactive Monitoring: Review web server logs for suspicious cross-origin requests originating from unknown or untrusted domains.
Compensating Controls: If upgrading is not immediately feasible, modify the web application server configuration to restrict CORS headers to authorized domains only.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations running Apache Helix REST should prioritize upgrading to version 2.0.1. The misconfiguration of CORS headers is a common vector for cross-site attacks, and moving to the patched version is essential to prevent unauthorized access to sensitive administrative interfaces.