CVE-2026-54753

Source
https://cve.org/CVERecord?id=CVE-2026-54753
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54753
Aliases
  • GHSA-g2r8-wvmj-jf5w
Published
2026-06-26T18:13:34.371Z
Modified
2026-07-08T08:14:16.227143698Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Nx: `nx graph` dev server permissive CORS policy
Details

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54753.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-749",
        "CWE-942"
    ]
}
References

Affected packages

Git / github.com/nrwl/nx

Affected ranges

Type
GIT
Repo
https://github.com/nrwl/nx
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "17.0.4"
        },
        {
            "fixed": "22.7.2"
        },
        {
            "introduced": "23.0.0-beta.0"
        },
        {
            "fixed": "23.0.0-beta.2"
        }
    ]
}

Affected versions

17.*
17.0.4
17.0.5
18.*
18.3.0
18.3.0-beta.0
18.3.0-beta.1
18.3.0-beta.2
18.3.0-beta.3
18.3.1
19.*
19.0.0
19.0.0-beta.0
19.0.0-beta.1
19.0.0-beta.10
19.0.0-beta.11
19.0.0-beta.2
19.0.0-beta.3
19.0.0-beta.4
19.0.0-beta.5
19.0.0-beta.6
19.0.0-beta.8
19.0.0-beta.9
19.0.0-rc.0
19.0.0-rc.1
19.0.0-rc.2
19.1.0
19.1.0-beta.0
19.1.0-beta.1
19.1.0-beta.2
19.1.0-beta.3
19.1.0-beta.4
19.1.0-beta.5
19.2.0
19.2.0-beta.0
19.2.0-beta.1
19.2.0-beta.2
19.2.0-beta.3
19.2.0-beta.4
19.2.0-beta.5
19.2.0-beta.6
19.2.0-beta.7
19.2.0-rc.0
19.2.0-rc.1
19.2.1
19.2.2
19.2.3
19.3.0-beta.0
19.3.0-beta.1
19.3.0-beta.2
19.4.0
19.4.0-beta.0
19.4.0-beta.1
19.4.0-beta.2
19.4.0-rc.0
19.5.0
19.5.0-beta.0
19.5.0-beta.2
19.5.0-beta.3
19.5.0-beta.4
19.5.0-beta.5
19.5.1
19.6.0
19.6.0-beta.0
19.6.0-beta.1
19.6.0-beta.2
19.6.0-beta.3
19.6.0-beta.4
19.6.0-beta.5
19.6.0-beta.6
19.6.0-rc.0
19.7.0
19.7.0-beta.0
19.7.0-beta.1
19.7.0-beta.2
19.7.0-beta.3
19.7.0-beta.4
19.7.0-beta.5
19.7.0-beta.6
19.7.1
19.7.2
19.8.0
19.8.0-beta.0
19.8.0-beta.1
19.8.0-beta.2
19.8.0-beta.3
20.*
20.0.0
20.0.0-beta.0
20.0.0-beta.1
20.0.0-beta.2
20.0.0-beta.3
20.0.0-beta.4
20.0.0-beta.5
20.0.0-beta.6
20.0.0-beta.7
20.0.0-beta.8
20.0.0-rc.0
20.1.0
20.1.0-beta.0
20.1.0-beta.1
20.1.0-beta.2
20.1.0-beta.3
20.1.0-beta.4
20.1.0-beta.5
20.2.0
20.2.0-beta.0
20.2.0-beta.1
20.2.0-beta.2
20.2.0-beta.3
20.2.0-beta.4
20.2.0-beta.5
20.2.0-beta.6
20.2.0-beta.7
20.2.0-rc.0
20.3.0
20.3.0-beta.0
20.3.0-beta.1
20.3.0-rc.0
20.4.0
20.4.0-beta.0
20.4.0-beta.1
20.4.0-beta.2
20.4.0-rc.0
20.5.0
20.5.0-beta.0
20.5.0-beta.1
20.5.0-beta.2
20.5.0-beta.3
20.5.0-beta.4
20.5.0-beta.5
20.5.0-rc.0
20.5.0-rc.1
20.5.0-rc.2
20.5.0-rc.3
20.5.0-rc.4
20.6.0
20.6.0-beta.0
20.6.0-beta.1
20.7.0
20.7.0-beta.0
20.7.0-beta.1
20.7.0-beta.2
20.7.0-beta.3
20.8.0
20.8.0-beta.0
20.8.0-beta.1
20.8.0-beta.2
20.8.0-rc.0
21.*
21.0.0
21.0.0-beta.10
21.0.0-beta.11
21.0.0-beta.12
21.0.0-beta.3
21.0.0-beta.4
21.0.0-beta.5
21.0.0-beta.6
21.0.0-beta.7
21.0.0-beta.8
21.0.0-beta.9
21.0.0-rc.0
21.0.0-rc.1
21.0.0-rc.2
21.0.0-rc.3
21.0.0-rc.4
21.0.1
21.0.2
21.0.3
21.0.4-beta.0
21.1.0
21.1.0-beta.0
21.1.0-beta.1
21.1.0-beta.2
21.2.0
21.2.0-beta.1
21.2.0-beta.2
21.2.0-beta.3
21.2.0-beta.4
21.2.0-beta.5
21.2.1
21.3.0
21.3.0-beta.0
21.3.0-beta.1
21.3.0-beta.2
21.3.0-beta.3
21.3.0-beta.4
21.3.0-beta.5
21.3.0-beta.6
21.3.0-beta.7
21.3.0-rc.0
21.4.0
21.4.0-beta.0
21.4.0-beta.1
21.4.0-beta.10
21.4.0-beta.11
21.4.0-beta.12
21.4.0-beta.2
21.4.0-beta.3
21.4.0-beta.4
21.4.0-beta.5
21.4.0-beta.6
21.4.0-beta.7
21.4.0-beta.8
21.4.0-beta.9
21.5.0-beta.0
21.5.0-beta.1
21.5.0-beta.2
21.5.1
21.5.1-beta.3
21.5.1-beta.4
21.5.1-beta.5
21.6.1
21.6.1-beta.0
21.6.1-beta.1
21.6.1-beta.2
21.6.1-beta.3
21.6.1-beta.4
21.6.1-rc.0
22.*
22.0.0
22.0.0-beta.0
22.0.0-beta.1
22.0.0-beta.2
22.0.0-beta.3
22.0.0-beta.4
22.0.0-beta.5
22.0.0-beta.6
22.0.0-beta.7
22.0.0-beta.8
22.0.0-beta.9
22.0.0-rc.0
22.0.1
22.1.0
22.1.0-beta.0
22.1.0-beta.1
22.1.0-beta.2
22.1.0-beta.3
22.1.0-beta.4
22.1.0-beta.5
22.1.0-beta.6
22.1.0-beta.7
22.1.0-beta.8
22.1.0-rc.0
22.1.0-rc.1
22.1.0-rc.2
22.1.0-rc.3
22.1.0-rc.4
22.1.0-rc.5
22.1.1
22.2.0
22.2.0-beta.0
22.2.0-beta.1
22.2.0-beta.2
22.2.0-beta.3
22.2.0-beta.4
22.2.1
22.2.2
22.2.3
22.3.0
22.3.0-beta.0
22.3.0-beta.1
22.3.0-beta.2
22.3.0-beta.3
22.4.0
22.4.0-beta.0
22.4.0-beta.1
22.4.0-beta.2
22.4.0-beta.3
22.4.0-beta.4
22.4.0-beta.5
22.4.1
22.5.0
22.5.0-beta.0
22.5.0-beta.1
22.5.0-beta.2
22.5.0-beta.3
22.5.0-beta.4
22.5.0-beta.5
22.6.0
22.6.0-beta.0
22.6.0-beta.1
22.6.0-beta.10
22.6.0-beta.11
22.6.0-beta.12
22.6.0-beta.13
22.6.0-beta.14
22.6.0-beta.2
22.6.0-beta.3
22.6.0-beta.4
22.6.0-beta.5
22.6.0-beta.6
22.6.0-beta.7
22.6.0-beta.8
22.6.0-beta.9
22.6.0-rc.0
22.6.0-rc.1
22.6.0-rc.2
22.7.0
22.7.0-beta.0
22.7.0-beta.1
22.7.0-beta.10
22.7.0-beta.11
22.7.0-beta.12
22.7.0-beta.13
22.7.0-beta.14
22.7.0-beta.15
22.7.0-beta.16
22.7.0-beta.17
22.7.0-beta.2
22.7.0-beta.3
22.7.0-beta.4
22.7.0-beta.5
22.7.0-beta.6
22.7.0-beta.7
22.7.0-beta.8
22.7.0-beta.9
22.7.0-rc.0
22.7.0-rc.1
22.7.0-rc.2
22.7.1
23.*
23.0.0-beta.0
23.0.0-beta.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54753.json"