The hook
MagicMirror is often deployed on small always-on devices, home labs, and dashboards that sit closer to internal networks than a normal public web app. CVE-2026-42281 turns an unauthenticated helper endpoint into a server-side fetch path, so an exposed instance can become a proxy from the attacker to places the attacker cannot reach directly.
Kako radi
MagicMirror deployments affected by CVE-2026-42281 can expose an unauthenticated server-side URL fetch path through the `/cors` endpoint. The risk is SSRF into destinations reachable from the MagicMirror host.
The blast radius
A confirmed exposure means the MagicMirror server accepted an unauthenticated URL fetch request. In real deployments, that can put internal services, metadata endpoints, and server-side secrets near the blast radius, depending on where the mirror is hosted and what network routes it can reach.
// what fixvibe checks
What FixVibe checks
FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Upgrade MagicMirror to 2.36.0 or newer and restart the service that actually serves traffic. Until the fixed runtime is live, keep the MagicMirror HTTP interface behind trusted-network, VPN, SSO, or authenticated reverse-proxy controls, and block unauthenticated `/cors` access at the edge.