PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42281 MagicMirrorOrg CVE debrief

CVE-2026-42281 is a critical unauthenticated server-side request forgery (SSRF) vulnerability in MagicMirror²’s /cors endpoint. Before 2.36.0, a remote attacker could make the server issue arbitrary HTTP requests toward internal networks, localhost services, and cloud metadata endpoints. The endpoint also expands environment-variable placeholders (**VAR_NAME), which can expose server-side secrets. The issue is fixed in 2.36.0.

Vendor
MagicMirrorOrg
Product
MagicMirror
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-21
Advisory published
2026-05-14
Advisory updated
2026-05-21

Who should care

Administrators and operators running MagicMirror² instances, especially deployments reachable from untrusted networks or those that can access internal services, localhost-only interfaces, or cloud metadata endpoints. Security teams should also care if the instance stores sensitive environment variables or secrets.

Technical summary

According to the NVD record and the linked GitHub security advisory, the flaw is an unauthenticated SSRF in the /cors endpoint affecting MagicMirror² versions prior to 2.36.0. The vulnerability allows arbitrary outbound HTTP requests from the server context, which can be used to reach internal-only targets and metadata services. Because the endpoint also expands **VAR_NAME placeholders, responses may leak environment-based secrets. NVD maps the weakness to CWE-918 and rates the issue with CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, resulting in a 9.2 critical score.

Defensive priority

Critical and urgent. Patch to MagicMirror² 2.36.0 as soon as possible, then review exposure of the /cors endpoint and any secrets reachable through environment-variable expansion.

Recommended defensive actions

  • Upgrade MagicMirror² to version 2.36.0 or later.
  • Restrict network access to MagicMirror² so untrusted clients cannot reach the /cors endpoint.
  • Review whether the instance can reach internal services, localhost-only listeners, or cloud metadata endpoints from its runtime environment.
  • Audit logs for unusual outbound requests originating from the MagicMirror² server.
  • Assess whether environment variables or other secrets may have been exposed and rotate affected credentials if needed.
  • If immediate patching is not possible, place compensating network controls in front of the service to reduce exposure to untrusted requests.

Evidence notes

The vulnerability description, version fix point, and SSRF/placeholder-expansion behavior come from the supplied CVE summary and the linked GitHub Security Advisory. The NVD record classifies the issue as analyzed, lists the affected CPE range as versions before 2.36.0, maps the weakness to CWE-918, and provides the CVSS 4.0 vector and 9.2 critical score. Published date context is 2026-05-14 and modified date context is 2026-05-21; these are used only as disclosure/timeline context.

Official resources

Publicly disclosed in the supplied record on 2026-05-14T16:16:21.200Z, with a subsequent record modification on 2026-05-21T20:12:03.110Z. The issue is reported as fixed in MagicMirror² 2.36.0.