{"data":{"id":"b23b92ad-6baa-46fd-846a-2714f0511cc7","title":"CVE-2026-33620: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` throug","summary":"PinchTab, an HTTP server that lets AI agents control Chrome browsers, had a vulnerability in versions 0.7.8 through 0.8.3 where API tokens (credentials that prove you're authorized to use the service) could be passed as URL query parameters, making them visible in logs and browser history instead of being kept private in secure headers. This exposed sensitive credentials to intermediary systems that record full URLs, though it only affected deployments that actually used this method of passing tokens.","solution":"This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33620","publishedAt":"2026-03-26T21:17:06.410Z","cveId":"CVE-2026-33620","cweIds":["CWE-598"],"cvssScore":"4.3","cvssSeverity":"medium","severity":"medium","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["PinchTab"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-26T21:17:06.410Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}