MagicMirror versions up to and including 2.35.0 contain a critical vulnerability where the /cors endpoint allows for unauthenticated Server-Side Request Forgery (SSRF) [S2]. This issue is tracked as CVE-2026-42281 [S1].
Attacker Impact
An attacker can use the MagicMirror server as an open proxy to reach internal network resources that are not exposed to the public internet [S2]. This allows for internal port scanning and the potential theft of cloud environment credentials by querying metadata services [S2]. Because the endpoint requires no authentication, any remote attacker with network access to the MagicMirror instance can exploit this flaw [S2].
Root Cause
The vulnerability exists in the /cors endpoint, which was designed to help modules bypass Cross-Origin Resource Sharing (CORS) restrictions [S2]. The implementation fails to authenticate requests and does not sufficiently validate or restrict the target URLs provided by the user [S2]. This allows the server to be coerced into fetching any URL on behalf of the attacker [S2].
Concrete Fixes
Users should update MagicMirror to a version later than 2.35.0 to resolve this vulnerability [S2]. It is also recommended to restrict access to the MagicMirror web interface using a firewall or a reverse proxy that enforces strict authentication [S1]. Additionally, ensure the MagicMirror instance does not have unnecessary access to sensitive internal network segments [S1].
Detection Research
Research indicates that this vulnerability can be identified by verifying if the /cors endpoint processes requests for external resources [S2]. A successful request that results in the server fetching and returning content from an external origin confirms the presence of the unauthenticated SSRF [S2].