Skip to main content

CowAgent CVE-2026-15329

| EUVDEUVD-2026-42783 LOW
Information Exposure (CWE-200)
2026-07-10 VulDB GHSA-xgqv-jcxf-qp28
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable but requires authenticated access (PR:L); impact limited strictly to low confidentiality disclosure with no integrity, availability, or scope-change impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 10, 2026 - 04:25 vuln.today
Severity Changed
Jul 10, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jul 10, 2026 - 04:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Information disclosure in zhayujie CowAgent up to version 2.1.0 exposes sensitive data to low-privileged authenticated remote attackers through the BrowserTool._do_navigate function in the Browser Tool component. Publicly available proof-of-concept exploit code exists via a GitHub issue report, though no patch has been released as the project maintainer has not yet responded to responsible disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to CowAgent with low-privilege account
Exploit
Send crafted request targeting BrowserTool._do_navigate
Execution
Trigger CWE-200 exposure in Browser Tool component
Impact
Receive disclosed sensitive information from function response

Vulnerability AssessmentAI

Exploitation Exploitation requires low-privileged authentication (CVSS 4.0 PR:L) - the attacker must hold a valid account or active session within the CowAgent system; unauthenticated exploitation is not possible per the confirmed CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 accurately reflects a low-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with a low-privilege account on a CowAgent deployment sends a crafted request targeting the BrowserTool._do_navigate function, triggering the information disclosure flaw. Using the publicly available proof-of-concept documented at https://github.com/zhayujie/CowAgent/issues/2871, even a low-skill attacker can reproduce the issue and retrieve internal navigation state, session data, or other sensitive information the function improperly exposes.
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the issue report filed at https://github.com/zhayujie/CowAgent/issues/2871. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy