{"data":{"id":"c2ee6e5a-7930-4372-9cf9-28bbedb499a2","title":"CVE-2026-33621: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` throug","summary":"PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome browser, but versions 0.7.7 through 0.8.4 had incomplete protections against brute-force attacks (rapid repeated requests) on endpoints that check authentication tokens. The middleware (software layer that filters requests) designed to limit requests per IP address was either not activated or had flaws like trusting client-controlled headers, making it easier for attackers to guess weak passwords if they could reach the API.","solution":"This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33621","publishedAt":"2026-03-26T21:17:06.597Z","cveId":"CVE-2026-33621","cweIds":["CWE-290","CWE-770"],"cvssScore":"4.8","cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["PinchTab"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-26T21:17:06.597Z","capecIds":["CAPEC-130"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}