CVE-2020-26527
Description
An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Damstra Smart Asset 2020.7 CORS misconfiguration allows any origin to make authenticated requests, leading to data disclosure.
Vulnerability
In Damstra Smart Asset version 2020.7, the endpoint API/api/Version misconfigures Cross-Origin Resource Sharing (CORS). It accepts any arbitrary Origin header and responds with a wildcard Access-Control-Allow-Origin: * header, as demonstrated with an Origin: https://StudniarzLukasz.com header [2]. This violates the principle of restricting access to trusted origins only. The vulnerability exists in the described version; no other versions are mentioned in the references.
Exploitation
An attacker can craft a simple HTTP GET request to /API/api/Version from a malicious website, including an arbitrary Origin header [2]. The server responds with Access-Control-Allow-Origin: *, effectively allowing the attacker's origin full access to the response. No authentication bypass is mentioned; the vulnerability allows cross-origin requests to a resource that may require authentication, but the CORS policy does not prevent a malicious site from reading the response if the victim's browser includes cookies (the sample request includes a session cookie) [2]. The attacker thus needs to lure an authenticated user to visit their controlled page while the user's session is active.
Impact
A successful cross-origin attack enables an attacker to read the response of API/api/Version, which discloses sensitive system information including the exact version, assembly version, build date, company name, and copyright details [2]. If other endpoints with similar misconfiguration exist, an attacker could potentially read other sensitive data or perform state-changing operations on behalf of the user. The impact is primarily information disclosure; there is no evidence of remote code execution or privilege escalation in the available references.
Mitigation
No patch or fix has been identified in the provided references. The vendor website (smartasset.com) [1] appears unrelated to the Damstra Smart Asset software, and no advisory or update is mentioned. Users should restrict network access to the API endpoint and implement proper CORS validation that only allows specific trusted origins. If the software is no longer supported, upgrading to a maintained alternative or deploying a reverse proxy to enforce strict CORS policies is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Damstra/Smart Assetdescription
- Range: 2020.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/lukaszstu/SmartAsset-CORS-CVE-2020-26527/blob/main/README.mdmitrex_refsource_MISC
- smartasset.commitrex_refsource_MISC
- support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platformmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.