{"id":"CVE-2026-54753","summary":"Nx: `nx graph` dev server permissive CORS policy","details":"Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.","aliases":["GHSA-g2r8-wvmj-jf5w"],"modified":"2026-07-08T08:14:16.227143698Z","published":"2026-06-26T18:13:34.371Z","database_specific":{"cwe_ids":["CWE-749","CWE-942"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54753.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54753.json"},{"type":"ADVISORY","url":"https://github.com/nrwl/nx/security/advisories/GHSA-g2r8-wvmj-jf5w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54753"},{"type":"FIX","url":"https://github.com/nrwl/nx/pull/35494"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nrwl/nx","events":[{"introduced":"3b182e4650515387e65e8c306740c3dd8e5348f0"},{"fixed":"4e9ea1bc3f44fb90f4ef242bf248dbc903aebef8"},{"introduced":"608c3bec02e94d14fc0259048dbc1038a0d66801"},{"fixed":"8fb55c7c02856d4edb845897c0c95dc392c9495b"}],"database_specific":{"extracted_events":[{"introduced":"17.0.4"},{"fixed":"22.7.2"},{"introduced":"23.0.0-beta.0"},{"fixed":"23.0.0-beta.2"}],"source":"AFFECTED_FIELD"}}],"versions":["22.7.0-beta.0","22.7.1","22.7.0","23.0.0-beta.1","23.0.0-beta.0","22.7.0-rc.2","22.7.0-rc.1","22.7.0-rc.0","22.7.0-beta.17","22.7.0-beta.16","22.7.0-beta.15","22.7.0-beta.14","22.7.0-beta.13","22.7.0-beta.12","22.7.0-beta.11","22.7.0-beta.10","22.7.0-beta.9","22.7.0-beta.8","22.7.0-beta.7","22.7.0-beta.6","22.7.0-beta.5","22.7.0-beta.4","22.7.0-beta.3","22.7.0-beta.2","22.7.0-beta.1","22.6.0","22.6.0-rc.2","22.6.0-rc.1","22.6.0-rc.0","22.6.0-beta.14","22.6.0-beta.13","22.6.0-beta.12","22.6.0-beta.11","22.6.0-beta.10","22.6.0-beta.9","22.6.0-beta.8","22.6.0-beta.7","22.6.0-beta.6","22.6.0-beta.5","22.6.0-beta.4","22.6.0-beta.3","22.6.0-beta.2","22.6.0-beta.1","22.6.0-beta.0","22.5.0","22.5.0-beta.5","22.5.0-beta.4","22.5.0-beta.3","22.5.0-beta.2","22.5.0-beta.1","22.4.1","22.5.0-beta.0","22.4.0","22.4.0-beta.5","22.4.0-beta.4","22.4.0-beta.3","22.4.0-beta.2","22.4.0-beta.1","22.4.0-beta.0","22.3.0","22.3.0-beta.3","22.3.0-beta.2","22.3.0-beta.1","22.2.3","22.3.0-beta.0","22.2.2","22.2.1","22.2.0","22.2.0-beta.4","22.2.0-beta.3","22.2.0-beta.2","22.2.0-beta.1","22.2.0-beta.0","22.1.1","22.1.0","22.1.0-rc.5","22.1.0-rc.4","22.1.0-rc.3","22.1.0-rc.2","22.1.0-rc.1","22.1.0-rc.0","22.1.0-beta.8","22.1.0-beta.7","22.1.0-beta.6","22.1.0-beta.5","22.1.0-beta.4","22.1.0-beta.3","22.1.0-beta.2","22.1.0-beta.1","22.0.1","22.1.0-beta.0","22.0.0","22.0.0-rc.0","22.0.0-beta.9","22.0.0-beta.8","22.0.0-beta.7","22.0.0-beta.6","22.0.0-beta.5","22.0.0-beta.4","22.0.0-beta.3","22.0.0-beta.2","22.0.0-beta.1","22.0.0-beta.0","21.6.1","21.6.1-rc.0","21.6.1-beta.4","21.6.1-beta.3","21.6.1-beta.2","21.6.1-beta.1","21.5.1","21.6.1-beta.0","21.5.1-beta.5","21.5.1-beta.4","21.5.1-beta.3","21.5.0-beta.2","21.4.0","21.5.0-beta.1","21.5.0-beta.0","21.4.0-beta.12","21.4.0-beta.11","21.4.0-beta.10","21.4.0-beta.9","21.4.0-beta.8","21.4.0-beta.7","21.4.0-beta.6","21.4.0-beta.5","21.4.0-beta.4","21.4.0-beta.3","21.4.0-beta.2","21.4.0-beta.1","21.3.0","21.4.0-beta.0","21.3.0-rc.0","21.3.0-beta.7","21.3.0-beta.6","21.3.0-beta.5","21.3.0-beta.4","21.3.0-beta.3","21.3.0-beta.2","21.3.0-beta.1","21.2.1","21.3.0-beta.0","21.2.0","21.2.0-beta.5","21.2.0-beta.4","21.2.0-beta.3","21.2.0-beta.2","21.2.0-beta.1","21.1.0","21.1.0-beta.2","21.0.3","21.1.0-beta.1","21.1.0-beta.0","21.0.4-beta.0","21.0.2","21.0.1","21.0.0","21.0.0-rc.4","21.0.0-rc.3","21.0.0-rc.2","21.0.0-rc.1","21.0.0-rc.0","21.0.0-beta.12","21.0.0-beta.11","21.0.0-beta.10","21.0.0-beta.9","21.0.0-beta.8","20.8.0","21.0.0-beta.7","21.0.0-beta.6","21.0.0-beta.5","21.0.0-beta.3","21.0.0-beta.4","20.8.0-rc.0","20.8.0-beta.2","20.8.0-beta.1","20.8.0-beta.0","20.7.0","20.7.0-beta.3","20.7.0-beta.2","20.7.0-beta.1","20.6.0-beta.1","20.6.0","20.7.0-beta.0","20.5.0","20.6.0-beta.0","20.5.0-rc.4","20.5.0-rc.3","20.5.0-rc.2","20.5.0-rc.1","20.5.0-rc.0","20.5.0-beta.5","20.5.0-beta.4","20.5.0-beta.3","20.5.0-beta.2","20.4.0-rc.0","20.4.0","20.5.0-beta.1","20.5.0-beta.0","20.4.0-beta.2","20.4.0-beta.1","20.4.0-beta.0","20.3.0","20.3.0-rc.0","20.3.0-beta.1","20.3.0-beta.0","20.2.0","20.2.0-rc.0","20.2.0-beta.7","20.2.0-beta.6","20.2.0-beta.5","20.2.0-beta.4","20.2.0-beta.3","20.2.0-beta.2","20.2.0-beta.1","20.1.0","20.2.0-beta.0","20.1.0-beta.5","20.1.0-beta.4","20.1.0-beta.3","20.1.0-beta.2","20.1.0-beta.1","20.1.0-beta.0","20.0.0","20.0.0-rc.0","20.0.0-beta.8","20.0.0-beta.7","20.0.0-beta.6","20.0.0-beta.5","20.0.0-beta.4","20.0.0-beta.3","19.8.0","20.0.0-beta.2","20.0.0-beta.1","20.0.0-beta.0","19.8.0-beta.3","19.8.0-beta.2","19.8.0-beta.1","19.8.0-beta.0","19.7.2","19.7.1","19.7.0","19.7.0-beta.6","19.7.0-beta.5","19.7.0-beta.4","19.7.0-beta.3","19.7.0-beta.2","19.7.0-beta.1","19.7.0-beta.0","19.6.0","19.6.0-rc.0","19.6.0-beta.6","19.6.0-beta.5","19.6.0-beta.4","19.6.0-beta.3","19.6.0-beta.2","19.6.0-beta.1","19.6.0-beta.0","19.5.1","19.5.0","19.5.0-beta.5","19.5.0-beta.4","19.5.0-beta.3","19.5.0-beta.2","19.5.0-beta.0","19.4.0","19.4.0-rc.0","19.4.0-beta.2","19.3.0-beta.2","19.4.0-beta.1","19.4.0-beta.0","19.3.0-beta.1","19.2.3","19.2.2","19.2.1","19.3.0-beta.0","19.2.0","19.2.0-rc.1","19.2.0-rc.0","19.2.0-beta.7","19.2.0-beta.6","19.2.0-beta.5","19.2.0-beta.4","19.2.0-beta.3","19.2.0-beta.2","19.2.0-beta.1","19.2.0-beta.0","19.1.0","19.1.0-beta.5","19.1.0-beta.4","19.1.0-beta.3","19.1.0-beta.2","19.1.0-beta.1","19.1.0-beta.0","19.0.0-rc.2","19.0.0","19.0.0-rc.1","19.0.0-rc.0","19.0.0-beta.11","19.0.0-beta.10","19.0.0-beta.9","19.0.0-beta.8","19.0.0-beta.6","19.0.0-beta.5","19.0.0-beta.4","19.0.0-beta.3","19.0.0-beta.2","19.0.0-beta.1","19.0.0-beta.0","18.3.1","18.3.0","18.3.0-beta.3","18.3.0-beta.2","18.3.0-beta.1","17.0.5","18.3.0-beta.0","17.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54753.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}