CVE-2026-54753
CWE-749Published: June 26, 2026· Updated: Jun 26, 2026
Official Description
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
Technical Analysis
CVE-2026-54753 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 5.9.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-749)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-54753 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts