highCVE-2026-57111

Apache Helix REST API Permissive CORS Vulnerability

Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin requests to administrative REST endpoints via a cross-origin request from an arbitrary origin, since the filter unconditionally returns Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true and reflects arbitrary Access-Control-Request-Method / Access-Control-Request-Headers values in preflight responses. Users are recommended to upgrade to version 2.0.1, which fixes this issue.

ProductApache Helix
CVSS7.5
EPSS0.0017
UpdatedJuly 10, 2026

Quick answer

Apache Software Foundation Apache Helix should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Apache Helix through 2.0.0

Fixed versions

  • 2.0.1

How to fix it

Apache Helix is affected by CVE-2026-57111. Versions through 2.0.0 can return permissive CORS headers on administrative REST endpoints, so an attacker-controlled web page may act through an authorized user. Upgrade to 2.0.1 and restrict REST access.

  1. Inventory Apache Helix REST servers and identify which administrative endpoints are browser-accessible.
  2. Upgrade Apache Helix to 2.0.1 or later.
  3. Restrict helix-rest administrative endpoints to trusted networks, VPN, or reverse proxy authentication.
  4. Disable wildcard CORS and credentialed cross-origin access unless explicitly required for trusted origins.
  5. Invalidate privileged browser sessions if cross-origin exploitation is suspected.
  6. Review logs for unusual Origin headers, preflight requests, or administrative changes from user sessions.
  7. Restart Helix REST services after updating packages or deployment artifacts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Apache Helix reports 2.0.1 or later.
  • Run a browser CORS test from an untrusted origin and confirm administrative responses are blocked.
  • Confirm trusted UI/API clients still work through approved origins.
  • Review audit logs for unauthorized cluster administration changes.
  • Run a Fixnx scan and confirm public REST/API exposure is reviewed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-57111?

Apache Software Foundation Apache Helix versions listed as affected should be reviewed: Apache Helix through 2.0.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.