VU#849433: Adalo Database API ... Note

VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls

Adalo's no-code application platform has a significant security flaw that exposes complete user records through its database API for all applications built on both V1 and V2. This issue affects over one million applications, putting developers and their end users at risk of data exposure. The problem arises from a platform-level flaw that allows authenticated users to retrieve full user data belonging to any Adalo application, regardless of configuration. Adalo is a Software-as-a-Service provider for building no-code applications, and each application is supposed to be logically isolated with separate databases, users, and configurations. However, the Adalo database API contains a flaw that allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership-aware, server-side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records. Additionally, Adalo's use of long-lived JWT tokens, which remain valid for approximately twenty days, allows attackers to reuse these tokens to query the database API directly and extract large volumes of user data. The combination of exposed tokens, permissive CORS behavior, and large response limits enables persistent, automated harvesting of entire user databases using only a single token obtained from any visitor session. The vulnerabilities affect all Adalo applications across both V1 and V2, and customers and tenants should assume that data in Adalo collections may be exposed and avoid storing sensitive information there until a patch is deployed. Adalo has acknowledged the issue, but no patch is currently available, and users should remain aware of increased phishing and identity theft risks and monitor their accounts for suspicious activity.