CVE-2020-26527

CRITICAL

Damstra Smart Asset 2020.7 - Origin Validation Error via API Version Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26527. PoCs published by lukaszstu.

AI-analyzed exploit summary This repository documents CVE-2020-26527, a CORS misconfiguration in Damstra Smart Asset 2020.7 where arbitrary origins are trusted due to a wildcard 'Access-Control-Allow-Origin: *' header. The README provides HTTP request/response examples demonstrating the vulnerability.

Description

An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.

Exploits (1)

nomisec WRITEUP
by lukaszstu · poc
https://github.com/lukaszstu/SmartAsset-CORS-CVE-2020-26527

This repository documents CVE-2020-26527, a CORS misconfiguration in Damstra Smart Asset 2020.7 where arbitrary origins are trusted due to a wildcard 'Access-Control-Allow-Origin: *' header. The README provides HTTP request/response examples demonstrating the vulnerability.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Damstra Smart Asset 2020.7
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0090
EPSS Percentile 54.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-346
Status published
Products (1)
damstratechnology/smart_asset 2020.7
Published Oct 02, 2020
Tracked Since Feb 18, 2026