Cyber Posture

CVE-2024-8026

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
26 March 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0009 25.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Security Summary

CVE-2024-8026 is a Cross-Site Request Forgery (CSRF) vulnerability in the backend API of netease-youdao/qanything, present as of commit d9ab8bc. The issue arises from overly permissive CORS headers on the backend server, which allow all cross-origin calls. This affects all backend endpoints, enabling unauthorized actions such as creating, uploading, listing, deleting files, and managing knowledge bases. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and maps to CWE-352.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L), but it requires user interaction (UI:R), such as tricking a victim into visiting a malicious site while authenticated to the backend. Exploitation allows the attacker to perform actions on the victim's behalf across all endpoints, resulting in high integrity (I:H) and availability (A:H) impacts, including arbitrary file operations and knowledge base modifications, with no direct confidentiality loss (C:N).

Mitigation guidance is available in the Huntr.com advisory at https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274, where the vulnerability was reported. Security practitioners should consult this reference for patch details or recommended fixes, such as restricting CORS headers.

Details

CWE(s)
CWE-352

Affected Products

qanything
qanything
≤ 2024-06-24

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
qanything (netease-youdao/qanything) is an open-source AI-native multi-modal search and RAG framework with knowledge base management, fitting Enterprise AI Assistants; vulnerability reported on AI/ML bug bounty platform (huntr.com).

MITRE ATT&CK Enterprise Techniques

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

CSRF with permissive CORS enables cross-origin exploitation (T1190) of backend API for file/knowledge base operations, facilitating file discovery (T1083), data collection from repositories like knowledge bases (T1213), file deletion (T1070.004), and stored data manipulation via upload/create (T1565.001).

References