Skip to main content

CISA says Adalo database API exposes cross-app user data via flaws

Adalo’s database API exposes complete user records for applications built on both V1 and V2. A platform-level access control flaw enables authenticated users to retrieve full user data belonging to any Adalo application regardless of configuration, enabling exposure of sensitive user information.

For CVE-2026-10706, the Adalo database API returns complete user records for every list component request regardless of which fields the component is configured to display. The backend does not enforce ownership-aware, server-side authorization checks, which allows authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. The issue is amplified by permissive CORS behavior, plaintext storage of all text files, and evidence that deleted records may remain accessible. For CVE-2026-10708, JWT tokens are visible in client-side requests and remain valid for approximately twenty days; once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the application itself, and the combination of exposed tokens, permissive CORS behavior, and large response limits enables persistent, automated harvesting using a single token obtained from any visitor session.

The vulnerabilities affect all Adalo applications across both V1 and V2 because they occur at the platform level, impacting the entire population of Adalo-built applications. For CVE-2026-10706, attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration, and sensitive information can be exposed to unauthorized parties because data minimization, privacy by design, or appropriate technical safeguards are not implemented. For CVE-2026-10708, the issue enables large-scale data harvesting without requiring app-specific secrets, including emails, UUIDs, and custom fields from a minimal leaderboard component request, and allows attackers to gather sensitive personal information due to wildcard CORS behavior, long-lived twenty-day JWTs, and absence of token revocation.

Adalo has an access control weakness that may allow unauthorized users to bypass application boundaries under certain conditions. Adalo has acknowledged the issue, but no patch is currently available. Customers and tenants should assume data in Adalo collections may be exposed and avoid storing sensitive information there until a patch is deployed. Users should remain aware of increased phishing and identity theft risks and monitor their accounts for suspicious activity.

The guidance is to treat data stored in Adalo collections as potentially exposed until a patch is available and to adjust application data storage practices accordingly. The document also directs users to watch for signs of suspicious account activity and to account for the phishing and identity theft risks referenced in the advisory.