CVE-2026-30834: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7,
highvulnerability
security
Summary
PinchTab is an HTTP server that lets AI agents control a Chrome browser. Before version 0.7.7, it had a Server-Side Request Forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making requests to places it shouldn't, like internal networks or local files) in its /download endpoint that let any user with API access make the server request arbitrary URLs and steal the responses.
Solution / Mitigation
This issue has been patched in version 0.7.7.
Vulnerability Details
CVSS Score
7.5(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-30834
First tracked: March 7, 2026 at 03:07 PM
Classified by LLM (prompt v3) · confidence: 92%