search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls

Vulnerability Note VU#849433

Original Release Date: 2026-07-08 | Last Revised: 2026-07-08

Overview

Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate.

Description

Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations.

CVE-2026-10706 Unrestricted Disclosure of Full User Records
The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible.

CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens
The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the application itself. The combination of exposed tokens, permissive CORS behavior, and large response limits enables persistent, automated harvesting of entire user databases using only a single token obtained from any visitor session.

Impact

These vulnerabilities affect all Adalo applications across both V1 and V2. Because they occur at the platform level, the entire population of Adalo‑built applications is impacted.

Exposure of Sensitive Information to an Unauthorized attacker (CVE-2026-10706) Attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

Insufficiently Protected Credentials (CVE-2026-10708) This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

Solution

Adalo contains an access control weakness that may allow unauthorized users to bypass application boundaries under certain conditions. Adalo has acknowledged the issue, however, no patch is currently available. Customers and tenants should assume data in Adalo collections may be exposed, and avoid storing sensitive information there until a patch is deployed. Users should remain aware of increased phishing and identity theft risks and monitor their accounts for suspicious activity.

Acknowledgements

Thanks to the reporter Saud Darwish. This document was written by Laurie Tyzenhaus.

Vendor Information

849433
 

Adalo No-Code App Builder Unknown

Notified:  2026-04-03 Updated: 2026-07-08

CVE-2026-10706 Unknown
CVE-2026-10708 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2026-10706 CVE-2026-10708
API URL: VINCE JSON | CSAF
Date Public: 2026-07-08
Date First Published: 2026-07-08
Date Last Updated: 2026-07-08 14:03 UTC
Document Revision: 1

Sponsored by CISA.