CVE-2026-11326: OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site s
Summary
OpenAI Atlas versions before 1.2025.288.15 had a security flaw where privileged browser APIs (special functions that control browser features) were exposed to web content on OpenAI domains, and a cross-site scripting vulnerability (a type of attack where malicious code is injected into a website) on forum.openai.com could be exploited to access browser history and control tabs. The vulnerability was caused by improper access control (failing to properly restrict who can use certain functions).
Solution / Mitigation
Users should upgrade to OpenAI Atlas version 1.2025.288.15 or later, which narrows access to these APIs to only the *.chatgpt.com domain.
Vulnerability Details
EPSS: 0.0%
June 4, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-11326
First tracked: June 5, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 85%