diff --git a/readthedocs/core/signals.py b/readthedocs/core/signals.py
index caa3b24b1dc..08c6e312d3c 100644
--- a/readthedocs/core/signals.py
+++ b/readthedocs/core/signals.py
@@ -85,7 +85,7 @@ def decide_if_cors(sender, request, **kwargs):  # pylint: disable=unused-argumen
                 return True
 
             project = unresolved.project
-            version_slug = unresolved.version_slug
+            version_slug = unresolved.version.slug
         else:
             project_slug = request.GET.get('project', None)
             version_slug = request.GET.get('version', None)
diff --git a/readthedocs/rtd_tests/tests/test_middleware.py b/readthedocs/rtd_tests/tests/test_middleware.py
index 21c4d033133..b827e9eec37 100644
--- a/readthedocs/rtd_tests/tests/test_middleware.py
+++ b/readthedocs/rtd_tests/tests/test_middleware.py
@@ -148,6 +148,23 @@ def test_embed_api_private_version_linked_domain(self):
         resp = self.middleware.process_response(request, {})
         self.assertNotIn('Access-Control-Allow-Origin', resp)
 
+    def test_embed_api_external_url(self):
+        request = self.factory.get(
+            "/api/v2/embed/",
+            {"url": "https://pip.readthedocs.io/en/latest/index.hml"},
+            HTTP_ORIGIN="http://my.valid.domain",
+        )
+        resp = self.middleware.process_response(request, {})
+        self.assertIn("Access-Control-Allow-Origin", resp)
+
+        request = self.factory.get(
+            "/api/v2/embed/",
+            {"url": "https://docs.example.com/en/latest/index.hml"},
+            HTTP_ORIGIN="http://my.valid.domain",
+        )
+        resp = self.middleware.process_response(request, {})
+        self.assertIn("Access-Control-Allow-Origin", resp)
+
     @mock.patch('readthedocs.core.signals._has_donate_app')
     def test_sustainability_endpoint_allways_allowed(self, has_donate_app):
         has_donate_app.return_value = True