Skip to main content

Browserbase CVE-2026-12823

| EUVDEUVD-2026-38204 LOW
Incorrect Privilege Assignment (CWE-266)
2026-06-22 cna@vuldb.com GHSA-vxfm-r32r-fgx3
1.9
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local-only attack requiring a low-privileged account (AV:L/PR:L); only limited confidentiality impact from reading trace artifacts, no integrity or availability consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 06:49 vuln.today

DescriptionCVE.org

A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Incorrect default file permissions in Browserbase's Autobrowse Trace Artifact Handler (versions up to 20260526) expose locally stored trace artifact files to low-privileged users on the same host, resulting in unauthorized information disclosure. A public exploit (poc.sh) was released without a vendor patch, as the vendor did not respond to responsible disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local shell
Exploit
Identify Autobrowse trace artifact directory
Execution
Read world-readable artifact files
Impact
Extract sensitive session or automation data

Vulnerability AssessmentAI

Exploitation Exploitation requires an existing low-privileged local account on the host running Browserbase (PR:L per CVSS 4.0 AV:L/PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 1.9 accurately reflects a low-severity, low-impact vulnerability: the attack vector is strictly local (AV:L), low privileges are required (PR:L), attack complexity is low (AC:L), and the only impact is limited confidentiality disclosure (VC:L) with no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user on a shared server running Browserbase waits for or triggers an Autobrowse session, then uses the publicly available poc.sh script to locate and read the world-readable trace artifact files written by the Autobrowse Trace Artifact Handler. These files may contain sensitive browsing session data, captured page content, or automation parameters, which the attacker exfiltrates for reconnaissance or credential harvesting. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to responsible disclosure, and no fixed version has been confirmed from any reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy