Banked 2026-06-12 from Web2 passive recon on Moov (moov.io, HackerOne VDP, fintech payments API).
api.moov.io reflects ANY Origin (evil.example.com, null, http, arbitrary subdomains) into
access-control-allow-origin, and always sets access-control-allow-credentials: true.
This is the textbook "reflective CORS with credentials" that triagers often reward as Medium/High.
BUT it was NON-EXPLOITABLE here. The exploitability gate is the AUTH MODEL, not the header.
Reflective ACAO + ACAC=true leaks authenticated data ONLY if the browser AUTO-ATTACHES the victim's credential on the cross-origin request. That requires ambient credentials: - Cookie-based sessions (SameSite=None) -> EXPLOITABLE. Stage it. - HTTP Basic/Digest auth cached by browser -> EXPLOITABLE. - Client TLS cert -> EXPLOITABLE.
If auth is BEARER-TOKEN (Authorization header, token in JS/localStorage) -> NOT exploitable. The attacker page cannot force the victim's browser to attach the bearer token. ACAC=true reads back nothing authenticated. Downgrade to LOW / informational defense-in-depth.
WWW-Authenticate / Set-Cookie.Set-Cookie on the unauth GET. None = SPA holding tokens client-side, not cookies.Those FPs are WAF-EDGE reflection (cosmetic, never reaches app). THIS one was APP-LAYER reflection (survives on the real 401, not just the WAF 403). New wrinkle: app-layer reflection can still be a non-finding when neutralized by bearer-not-cookie auth. So "app-layer, not edge" does NOT automatically promote it to Medium - re-run the auth-model gate above before staging.
CORS-with-credentials severity = f(auth model), not f(header reflection). Bearer-token APIs make the classic reflective-CORS finding inert. Always determine cookie-vs-bearer before staging.