{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33081", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.345Z", "datePublished": "2026-03-20T09:05:01.753Z", "dateUpdated": "2026-03-20T09:05:01.753Z"}, "containers": {"cna": {"title": "PinchTab has Blind SSRF via browser-side redirect bypass in /download URL validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m"}, {"name": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3"}], "affected": [{"vendor": "pinchtab", "product": "pinchtab", "versions": [{"version": "< 0.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:05:01.753Z"}, "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below have a Blind SSRF vulnerability in the /download endpoint. The validateDownloadURL() function only checks the initial user-supplied URL, but the embedded Chromium browser can follow attacker-controlled redirects/navigations to internal network addresses after validation. Exploitation requires security.allowDownload=true (disabled by default), limiting real-world impact. An attacker-controlled page can use JavaScript redirects or resource requests to make the browser reach internal services from the PinchTab host, resulting in a blind Server-Side Request Forgery (SSRF) condition against internal-only services. The issue has been patched in version 0.8.3."}], "source": {"advisory": "GHSA-qwxp-6qf9-wr4m", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below have a Blind SSRF vulnerability in the /download endpoint. The validateDownloadURL() function only checks the initial user-supplied URL, but the embedded Chromium browser can follow attacker-controlled redirects/navigations to internal network addresses after validation. Exploitation requires security.allowDownload=true (disabled by default), limiting real-world impact. An attacker-controlled page can use JavaScript redirects or resource requests to make the browser reach internal services from the PinchTab host, resulting in a blind Server-Side Request Forgery (SSRF) condition against internal-only services. The issue has been patched in version 0.8.3."}], "id": "CVE-2026-33081", "lastModified": "2026-03-20T10:16:18.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-20T10:16:18.563", "references": [{"source": "[email protected]", "url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3"}, {"source": "[email protected]", "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:22:05.337746+00:00", "value": {"mitigation_remediation": ["Upgrade to PinchTab version 0.8.3 or later.", "If an upgrade is not possible, ensure security.allowDownload is set to false in the configuration file."], "summary": {"action": "Patch", "impact": "Blind SSRF via /download endpoint"}, "threat_synthesis": {"affected_systems": "The affected product is PinchTab (pinchtab:pinchtab). Versions 0.8.2 and below are vulnerable. The vulnerability was fixed in version 0.8.3. The system in question is a standalone HTTP server that gives remote agents control over a Chrome instance.", "description_and_impact": "PinchTab, a standalone HTTP server that allows AI agents to control a Chromium browser, contains a blind Server-Side Request Forgery vulnerability in versions 0.8.2 and earlier. The validateDownloadURL() function checks only the initial user-supplied URL, but the embedded browser can follow attacker\u2011controlled redirects to internal network addresses after validation. This allows an attacker to cause the server\u2019s browser to reach internal\u2011only services, resulting in a blind SSRF condition. The weakness is identified as CWE-918.", "risk_and_exploitability": "The CVSS base score is 5.8, indicating moderate severity, and the issue is not listed in the CISA KEV catalog. Exploitation requires the configuration setting security.allowDownload=true, which is disabled by default, limiting practical impact. The likely attack vector is a remote actor who can send a crafted /download request to the vulnerable server with allowDownload enabled; the attacker can then use JavaScript redirects or other navigation tricks to reach internal services. With the default configuration, the risk is mitigated, but if allowDownload is enabled or misconfigured, the vulnerability can be abused to access internal resources."}}}}, "created": "2026-03-20T10:36:28.530874+00:00", "updated": "2026-03-20T10:36:28.530909+00:00", "vendors": []}