CVE-2026-33619: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains
Summary
PinchTab v0.8.3, a tool that lets AI agents control Chrome browsers through an HTTP server, has a server-side request forgery vulnerability (SSRF, where the server can be tricked into making requests to unintended targets) in its optional webhook system. When tasks are submitted with a user-controlled callback URL, the server sends an HTTP request to that URL without properly validating it, allowing attackers to make the server send requests to private or internal network addresses.
Solution / Mitigation
This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating callbackUrl during task submission.
Vulnerability Details
4.1(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
network
low
high
none
March 26, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33619
First tracked: March 26, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 85%