Skip to main content

chrome-devtools-mcp CVE-2026-53766

| EUVDEUVD-2026-39104 MEDIUM
Path Traversal (CWE-22)
2026-06-24 GitHub_M
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
vuln.today AI
7.3 HIGH

C upgraded to H from C:N because upload_file demonstrably exfiltrates out-of-root file contents; all other metrics consistent with local, low-privilege symlink placement.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 23:03 EUVD
Analysis Generated
Jun 24, 2026 - 22:27 vuln.today
CVE Published
Jun 24, 2026 - 21:29 cve.org
MEDIUM 6.1

DescriptionCVE.org

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.

AnalysisAI

Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Place crafted symlink inside workspace root
Delivery
Trigger agent file tool on symlink path
Exploit
validatePath() passes lexical prefix check
Execution
OS kernel follows symlink to out-of-root target
Impact
Read target file contents via upload_file or overwrite target file via write tool

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) A symbolic link must exist inside a configured workspace root directory - this can be placed by the AI agent itself if it processes attacker-controlled content (e.g., a cloned repository containing a pre-built symlink), by a co-located local process, or by any local user with write access to the workspace; (2) chrome-devtools-mcp must be running version 0.24.0 through 1.0.x; (3) the MCP client must have the roots capability declared and configured with at least one root path (the bug is NOT the undocumented legacy path where roots is absent). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 6.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) captures the local attack vector and high integrity impact accurately, but its C:N rating is inconsistent with the CVE description, which explicitly states that upload_file can read a symlink target and transmit its contents to the currently selected web page - a direct confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious Git repository cloned by an AI coding agent into the workspace contains a pre-crafted symbolic link at workspace/configs/settings -> /etc/cron.d/evil. When the agent's file-writing tool is invoked against workspace/configs/settings, validatePath() resolves the path to /workspace/configs/settings, passes the root prefix check, and the downstream write follows the symlink and creates or overwrites the cron job outside the workspace boundary. …
Remediation Upgrade chrome-devtools-mcp to version 1.1.0, the vendor-released patch that fixes validatePath() by canonicalizing symbolic links before performing the workspace root prefix check. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy