CVE-2026-10706

Summary

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

Affected Software

VendorProductVersion RangeStatus
Adalo No-Code App BuilderApp Builder1 <= 2affected

Weaknesses

  • CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

References