CVE-2026-37737: sanic-cors CORS Bypass via Improper Regex Anchoring
A flaw in sanic-cors version 2.2.0 and earlier allows attackers to circumvent CORS (Cross-Origin Resource Sharing) origin restrictions. The vulnerability stems from improper validation of allowed origins: an attacker can register a domain name that starts with a trusted origin string to trick the library into allowing cross-origin requests that should have been blocked. For example, if a site trusts 'trusted.com', an attacker registering 'trusted.com.attacker.com' could bypass the allowlist. This exposes authenticated resources to unauthorized cross-origin access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346, CWE-625
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The try_match() function in sanic_cors/core.py uses Python's re.match() without anchoring the pattern to the end of the string. The re.match() function only anchors at the start, allowing partial matches. An attacker can register a domain beginning with a whitelisted origin to satisfy the regex without matching the full origin string. This is a classic regular expression anchoring mistake (CWE-625). The vulnerability affects CORS policy enforcement (CWE-346), which is meant to prevent unauthorized cross-origin requests.
Business impact
Attackers can access sensitive, authenticated resources via cross-origin requests despite CORS allowlist configuration. This is particularly dangerous for APIs or web applications serving user data, financial information, or account-specific resources. An attacker does not need to compromise the target site itself—only register a malicious domain and trick a user into visiting it while logged into the target application. The impact is confidentiality-focused: data exposure without requiring authentication bypass.
Affected systems
sanic-cors version 2.2.0 and all prior releases are vulnerable. sanic-cors is a Python library providing CORS support for Sanic web framework applications. Any application using sanic-cors with version ≤2.2.0 is at risk. Applications using newer versions, custom CORS implementations, or other frameworks (Flask, Django, etc.) are not directly affected.
Exploitability
Exploitability is moderate. An attacker must (1) register or control a domain starting with a trusted origin, (2) trick a user into visiting the attacker's domain while authenticated to the target site (often via phishing or social engineering), and (3) execute cross-origin requests to authenticated endpoints. No special privileges, network access, or authentication are required; user interaction (visiting the attacker's site) is the primary barrier. The attack is practical for motivated threat actors targeting high-value targets.
Remediation
Upgrade sanic-cors to a version after 2.2.0 that includes the fix. Verify that the patched version correctly anchors the origin regex pattern (using $ or re.FULLMATCH). Alternatively, implement custom CORS validation that compares origins without regex, ensuring exact string matching of the full origin domain. Review CORS configurations in production to ensure origin allowlists are as restrictive as possible (prefer specific domains over wildcards).
Patch guidance
Consult the sanic-cors project repository and release notes to identify the fixed version number (verify against the vendor advisory, as patch versions are not provided in the source data). Update the dependency in your requirements.txt or pyproject.toml, then test your application's CORS behavior against your allowlist before production deployment. Ensure testing covers edge cases such as subdomain allowlists and origin matching.
Detection guidance
Monitor application logs for cross-origin requests originating from unexpected domains, especially those with names similar to or containing trusted origin strings. Review CORS allowlist configurations and compare them to actual allowed origins in logs. Use browser developer tools to inspect cross-origin requests and their origin headers. Network-level detection is challenging without access to origin headers; focus on application-level logging of rejected and accepted CORS requests.
Why prioritize this
Although not currently listed in the CISA KEV catalog, this vulnerability merits prompt prioritization because (1) it directly undermines a primary web security control (CORS), (2) it requires no network-level exploitation and is easy to trigger, (3) it exposes authenticated resources and user data, and (4) the fix is straightforward (upgrade dependency). Organizations with sensitive APIs should treat this as high-priority; others with limited cross-origin traffic may schedule it as medium.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects high confidentiality impact (user interaction required, no authentication needed, network-accessible) but no integrity or availability impact. The user interaction requirement (a user must visit the attacker's site) and the requirement to control a similarly-named domain reduce the score from HIGH. Organizations with strict CORS allowlists and user awareness training may see lower practical risk.
Frequently asked questions
What is CORS and why does this matter?
CORS is a browser security mechanism that controls whether a website can make requests to resources on a different domain. Sanic-cors is a library that helps define which origins are allowed. This vulnerability breaks that protection by allowing an attacker to craft a domain name that bypasses the allowlist.
Do I need to have a sanic application to be affected?
Yes. Only applications using the Sanic web framework with sanic-cors library are vulnerable. If you use Flask, Django, FastAPI, or other frameworks, you are not affected by this specific vulnerability—though you may have similar CORS implementations that should be reviewed.
What should I do if I cannot upgrade immediately?
Implement strict CORS origin validation outside of sanic-cors, such as exact-match comparison of the full origin header against a whitelist before processing requests. Reduce the exposure by limiting authenticated endpoints, implementing strong Content Security Policy headers, and educating users about phishing.
Can this vulnerability be exploited without user interaction?
No. The attacker must trick a user into visiting a malicious domain while the user is logged into the target application. Automated scanning or mass exploitation is not practical; this is typically a targeted attack against users of a specific site.
This analysis is based on the published vulnerability description and CVSS vector provided. Patch version numbers and vendor advisory details should be verified directly with the sanic-cors project before deployment. Security impact may vary depending on application configuration, user base, and network environment. This document is for informational purposes and does not constitute security advice or a guarantee of risk assessment accuracy. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass