Exposure of Sensitive Information to an Unauthorized attacker
Summary
| CVE | CVE-2026-10706 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 15:16:25 UTC |
| Updated | 2026-07-08 15:16:25 UTC |
| Description | In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties. |
Risk And Classification
Problem Types: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Adalo No-Code App Builder | App Builder | affected 1 2 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| kb.cert.org/vuls/id/849433 | [email protected] | kb.cert.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.