CVE-2026-33622

{"id": "CVE-2026-33622", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T21:17:06.780", "references": [{"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-693"}]}], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."}, {"lang": "es", "value": "PinchTab es un servidor HTTP independiente que da a los agentes de IA control directo sobre un navegador Chrome. PinchTab 'v0.8.3' a 'v0.8.5' permiten la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de 'POST /wait' y 'POST /tabs/{id}/wait' cuando la solicitud usa el modo 'fn', incluso si 'security.allowEvaluate' est\u00e1 deshabilitado. 'POST /evaluate' aplica correctamente la protecci\u00f3n 'security.allowEvaluate', que est\u00e1 deshabilitada por defecto. Sin embargo, en las versiones afectadas, 'POST /wait' acept\u00f3 una expresi\u00f3n 'fn' controlada por el usuario, la incrust\u00f3 directamente en JavaScript ejecutable y la evalu\u00f3 en el contexto del navegador sin verificar la misma pol\u00edtica. Esto es una omisi\u00f3n de pol\u00edtica de seguridad en lugar de una omisi\u00f3n de autenticaci\u00f3n separada. La explotaci\u00f3n a\u00fan requiere acceso autenticado a la API, pero un llamador con el token del servidor puede ejecutar JavaScript arbitrario en un contexto de pesta\u00f1a incluso cuando el operador deshabilit\u00f3 expl\u00edcitamente la evaluaci\u00f3n de JavaScript. El 'worktree' actual soluciona esto aplicando el mismo l\u00edmite de pol\u00edtica al modo 'fn' en '/wait' que ya existe en '/evaluate', mientras se preservan los modos de espera que no son de c\u00f3digo. A partir del momento de la publicaci\u00f3n, una versi\u00f3n parcheada a\u00fan no est\u00e1 disponible."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}