CVE-2026-33081: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below
Summary
PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome web browser. Versions 0.8.2 and earlier have a blind SSRF vulnerability (a flaw where an attacker tricks the server into making requests to internal networks that should be off-limits) in the /download endpoint, because the server only checks the URL once but the browser can follow hidden redirects to reach internal addresses. The risk is limited because the vulnerable feature is disabled by default.
Solution / Mitigation
The issue has been patched in version 0.8.3.
Vulnerability Details
5.8(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
network
low
none
none
March 20, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33081
First tracked: March 20, 2026 at 08:07 AM
Classified by LLM (prompt v3) · confidence: 85%