Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only attack requiring a low-privileged account (AV:L/PR:L); only limited confidentiality impact from reading trace artifacts, no integrity or availability consequence.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Incorrect default file permissions in Browserbase's Autobrowse Trace Artifact Handler (versions up to 20260526) expose locally stored trace artifact files to low-privileged users on the same host, resulting in unauthorized information disclosure. A public exploit (poc.sh) was released without a vendor patch, as the vendor did not respond to responsible disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an existing low-privileged local account on the host running Browserbase (PR:L per CVSS 4.0 AV:L/PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 1.9 accurately reflects a low-severity, low-impact vulnerability: the attack vector is strictly local (AV:L), low privileges are required (PR:L), attack complexity is low (AC:L), and the only impact is limited confidentiality disclosure (VC:L) with no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user on a shared server running Browserbase waits for or triggers an Autobrowse session, then uses the publicly available poc.sh script to locate and read the world-readable trace artifact files written by the Autobrowse Trace Artifact Handler. These files may contain sensitive browsing session data, captured page content, or automation parameters, which the attacker exfiltrates for reconnaissance or credential harvesting. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor did not respond to responsible disclosure, and no fixed version has been confirmed from any reference. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38204
GHSA-vxfm-r32r-fgx3