Device API endpoint missing access controls on Western Digital Mobile and Web Apps
Description
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.
This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
My Cloud, My Cloud Home, ibi, and WD Cloud apps before patched versions allowed attackers on the same network to read device info via a cross-site request due to missing access controls and permissive CORS policy.
Vulnerability
The Western Digital My Cloud OS 5, My Cloud Home, and SanDisk ibi mobile and web applications before the specified fixed versions contain a missing access controls vulnerability in a device API endpoint [1]. The endpoint lacked proper authentication for requests originating from private IP addresses, and a permissive CORS policy allowed cross-origin requests from attacker-controlled servers [1]. Affected versions include My Cloud OS 5 Mobile App before 4.21.0, My Cloud Home Mobile App before 4.21.0, ibi Mobile App before 4.21.0, My Cloud OS 5 Web App before 4.26.0-6126, My Cloud Home Web App before 4.26.0-6126, and ibi Web App before 4.26.0-6126 [1].
Exploitation
An attacker must be on the same network as the victim's device and host a malicious server [1]. The attack requires convincing the victim user to visit the attacker-controlled server while the victim is also logged into their device's web app (or has the mobile app installed and logged in) [1]. The attacker then issues a cross-site request to the vulnerable device API endpoint; due to the permissive CORS policy and missing authentication for private IPs, the request succeeds and returns device information to the attacker [1].
Impact
A successful attack results in the disclosure of device information to the remote attacker [1]. The information obtained could include details about the device configuration or status, but the description does not specify which exact data fields are exposed. The attacker does not gain write access or command execution; the impact is limited to information disclosure at the same network level [1].
Mitigation
Western Digital released fixed versions in March 2023: mobile apps must be updated to version 4.21.0 or later, and web apps are automatically updated to version 4.26.0-6126 or later [1]. Users should ensure their mobile apps are updated through official app stores, and no further workaround is necessary as the web apps are automatically patched [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: mobile <4.21.0, web <4.26.0-6126
- Range: mobile <4.21.0, web <4.26.0-6126
- Range: mobile <4.21.0, web <4.26.0-6126
- SanDisk/ibi Mobile Appv5Range: 0
- SanDisk/ibi Web Appv5Range: 0
- Western Digital/My Cloud Home Mobile Appv5Range: 0
- Western Digital/My Cloud Home Web Appv5Range: 0
- Western Digital/My Cloud OS 5 Mobile Appv5Range: 0
- Western Digital/My Cloud OS 5 Web Appv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.