CVE-2026-30834
HIGH
GHSA-rw8p-c6hf-q3pg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.
Analysis
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running PinchTab and isolate them from production networks; disable PinchTab services if not critical to operations. Within 7 days: Implement network segmentation to restrict PinchTab access to specific trusted networks only; deploy Web Application Firewall rules to monitor and block suspicious HTTP requests to PinchTab instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today