External risk intelligence

MagicMirror² could allow external attacker to steal server secrets and access internal systems.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-42281

An external attacker can manipulate MagicMirror² to probe private network resources and steal sensitive server credentials. This exposes confidential information and potentially allows unauthorized access to internal business systems.

2Halo Surface Signal

Server-Side Request Forgery

Magicmirror

before 2.36.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42281

MagicMirror² is a modular smart mirror platform intended for physical displays within local or private networks. It is not designed to be an internet-facing service, and public exposure is uncommon in typical real-world deployments, usually requiring specific user configuration.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated vulnerability in the MagicMirror² platform allows attackers to make the server send arbitrary HTTP requests. This could expose sensitive information or allow access to internal systems, as the platform also expands environment variables.

  • Remote attackers can exploit this.
  • Internal network access is a risk.
  • Sensitive data exfiltration is possible.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit the SSRF flaw in MagicMirror²'s `/cors` endpoint to make the server perform arbitrary HTTP requests. This allows them to target internal networks, cloud metadata services, or localhost, and potentially exfiltrate secrets by exploiting environment variable expansion.

  • No authentication required.
  • Targets internal network services.
  • Exploits environment variables for secrets.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is likely to be weaponized by attackers due to its unauthenticated Server-Side Request Forgery (SSRF) capabilities and the potential for secret exfiltration through environment variable expansion. These features allow attackers to probe internal networks and potentially gain access to sensitive information without any prior authentication.

  • Unauthenticated SSRF for network pivoting.
  • Environment variable expansion for secret exfiltration.
  • Exploitable via network endpoint.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of MagicMirror² installations to version 2.36.0 or later to address the critical SSRF vulnerability, which allows unauthenticated remote attackers to execute arbitrary HTTP requests and exfiltrate secrets. If patching is delayed, implement network segmentation to isolate affected systems and block access to or from internal network resources.

  • Update MagicMirror² to 2.36.0.
  • Block suspicious outbound traffic.
  • Monitor network activity for anomalies.

Frequently asked questions

What is MagicMirror² and what is it used for?

MagicMirror² is an open-source, modular smart mirror platform. It allows users to transform a regular mirror into an interactive display that can show various information like news, weather, calendars, and to-do lists, often integrated with a Raspberry Pi.

What kind of vulnerability does CVE-2026-42281 represent?

CVE-2026-42281 is a Server-Side Request Forgery (SSRF) vulnerability. This weakness allows an attacker to trick the MagicMirror² server into making requests to internal networks, cloud metadata services, or other localhost services that it would normally not access.

How can an attacker exploit this vulnerability?

An attacker can exploit this by sending a specially crafted request to the `/cors` endpoint of a vulnerable MagicMirror² server. This endpoint acts as an open proxy, and the vulnerability also allows for the expansion of environment variables, which can be used to exfiltrate sensitive secrets like API keys.

Who should be concerned about this vulnerability based on its access?

Users running MagicMirror² that are accessible from an untrusted network, including a local area network (LAN), should be concerned. While typically used in private settings, if the instance is exposed externally, it presents a risk. Halo Surface Signal indicates this is unlikely to be internet-facing by default.

What is the first step to address CVE-2026-42281?

The primary immediate step is to update MagicMirror² to version 2.36.0 or later, as this version includes a fix for the vulnerability. If immediate patching is not possible, consider isolating the affected system through network segmentation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified