{"api_version":"1","generated_at":"2026-07-08T18:28:06+00:00","cve":"CVE-2026-10706","urls":{"html":"https://cve.report/CVE-2026-10706","api":"https://cve.report/api/cve/CVE-2026-10706.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-10706","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-10706"},"summary":{"title":"Exposure of Sensitive Information to an Unauthorized attacker","description":"In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.","state":"PUBLISHED","assigner":"certcc","published_at":"2026-07-08 15:16:25","updated_at":"2026-07-08 15:16:25"},"problem_types":["CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[],"references":[{"url":"https://kb.cert.org/vuls/id/849433","name":"https://kb.cert.org/vuls/id/849433","refsource":"cret@cert.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-10706","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10706","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Adalo No-Code App Builder","product":"App Builder","version":"affected 1 2 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"App Builder","vendor":"Adalo No-Code App Builder","versions":[{"lessThanOrEqual":"2","status":"affected","version":"1","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties."}],"problemTypes":[{"descriptions":[{"description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-07-08T14:06:34.842Z","orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc"},"references":[{"url":"https://kb.cert.org/vuls/id/849433"}],"source":{"discovery":"UNKNOWN"},"title":"Exposure of Sensitive Information to an Unauthorized attacker","x_generator":{"engine":"VINCE 3.0.43","env":"prod","origin":"https://cveawg.mitre.org/api/cve/CVE-2026-10706"}}},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2026-10706","datePublished":"2026-07-08T14:06:34.842Z","dateReserved":"2026-06-02T17:46:45.590Z","dateUpdated":"2026-07-08T14:06:34.842Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-08 15:16:25","lastModifiedDate":"2026-07-08 15:16:25","problem_types":["CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"10706","Ordinal":"1","Title":"Exposure of Sensitive Information to an Unauthorized attacker","CVE":"CVE-2026-10706","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"10706","Ordinal":"1","NoteData":"In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.","Type":"Description","Title":"Exposure of Sensitive Information to an Unauthorized attacker"}]}}}