{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "17.0.4"
              },
              {
                "fixed": "22.7.2"
              },
              {
                "introduced": "23.0.0-beta.0"
              },
              {
                "fixed": "23.0.0-beta.2"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "3b182e4650515387e65e8c306740c3dd8e5348f0"
            },
            {
              "fixed": "4e9ea1bc3f44fb90f4ef242bf248dbc903aebef8"
            },
            {
              "introduced": "608c3bec02e94d14fc0259048dbc1038a0d66801"
            },
            {
              "fixed": "8fb55c7c02856d4edb845897c0c95dc392c9495b"
            }
          ],
          "repo": "https://github.com/nrwl/nx",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-g2r8-wvmj-jf5w"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-749",
      "CWE-942"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54753.json"
  },
  "details": "Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.",
  "id": "CVE-2026-54753",
  "modified": "2026-07-08T05:38:04.480505169Z",
  "published": "2026-06-26T18:13:34.371Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54753.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nrwl/nx/security/advisories/GHSA-g2r8-wvmj-jf5w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54753"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nrwl/nx/pull/35494"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nx: `nx graph` dev server permissive CORS policy"
}