Is it possible too exploit CORS with double Origin value?


I found a website that has a well implemented CORS configuration, but for some reason i am able to insert 2 Origin headers in a POST request, and both of this values are reflected in the reponse.

so if i try:

Host: example.com Connection: close Origin: https://evil.com Origin: https://example.com 

The response will be:

HTTP/1.1 200 OK  access-control-allow-origin: https://evil.com,https://example.com access-control-allow-credentials: true 

Is there any way to set this in a payload to be able to exploit this? How could i set the origin value for both of this to exploit it?