{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31192", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T18:20:21.206Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-22T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:07:43.747Z"}, "descriptions": [{"lang": "en", "value": "Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS"}, {"url": "https://support.google.com/chrome_webstore/answer/2664769?hl=en"}, {"url": "https://github.com/incoggeek/vulnerability-research/tree/master/CVE-2026-31192"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:20:17.373427Z", "id": "CVE-2026-31192", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:20:21.206Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31192", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T18:20:21.206Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-22T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:07:43.747Z"}, "descriptions": [{"lang": "en", "value": "Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS"}, {"url": "https://support.google.com/chrome_webstore/answer/2664769?hl=en"}, {"url": "https://github.com/incoggeek/vulnerability-research/tree/master/CVE-2026-31192"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:20:17.373427Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:17:52.476Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request."}], "id": "CVE-2026-31192", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T14:16:36.420", "references": [{"source": "cve@mitre.org", "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS"}, {"source": "cve@mitre.org", "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin"}, {"source": "cve@mitre.org", "url": "https://github.com/incoggeek/vulnerability-research/tree/master/CVE-2026-31192"}, {"source": "cve@mitre.org", "url": "https://support.google.com/chrome_webstore/answer/2664769?hl=en"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T19:27:48.951848+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Raindrop.io Bookmark Manager Web App where the issue has been fixed", "If an immediate upgrade is not possible, block or restrict the endpoint that accepts Chrome extension identifiers by allowing only whitelisted IDs through a firewall or proxy rule", "Enforce strict server\u2011side validation so the extension identifier matches a known, allowed set before processing any request", "Regularly audit application logs for abnormal requests to the extension identifier endpoint and investigate any suspicious activity"], "summary": {"action": "Patch immediately", "impact": "Unauthorized access to user data"}, "threat_synthesis": {"affected_systems": "The affected system is the Raindrop.io Bookmark Manager Web App version 5.6.76.0. No additional vendor or product versions are enumerated in the available data.", "description_and_impact": "This vulnerability arises from insufficient validation of Chrome extension identifiers in the Raindrop.io Bookmark Manager Web App version 5.6.76.0, permitting attackers to craft requests that retrieve sensitive user data. The weakness is an improper input validation that allows access to private bookmark information and other confidential data normally restricted to authenticated users. The potential impact is the exposure of private user data, leading to privacy violations and possible credential theft.", "risk_and_exploitability": "The absence of proper validation on the Chrome extension identifier enables attackers to forge requests and pull data from the web application. Because the exploit requires only the ability to send an HTTP request with a crafted extension identifier, it could be performed from a malicious browser extension or a malicious site. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Nonetheless, the potential for private data exposure warrants a high security posture and prompt remediation."}}}}, "created": "2026-04-22T19:30:24.752617+00:00", "title": "Insufficient Validation of Chrome Extension Identifiers Leading to Sensitive Data Exposure", "updated": "2026-04-22T19:30:24.752629+00:00", "vendors": [], "weaknesses": ["CWE-20", "CWE-285"]}