AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-33620: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` throug

mediumvulnerability

security

Source: NVD/CVE DatabaseMarch 26, 2026CVE-2026-33620

Summary

PinchTab, an HTTP server that lets AI agents control Chrome browsers, had a vulnerability in versions 0.7.8 through 0.8.3 where API tokens (credentials that prove you're authorized to use the service) could be passed as URL query parameters, making them visible in logs and browser history instead of being kept private in secure headers. This exposed sensitive credentials to intermediary systems that record full URLs, though it only affected deployments that actually used this method of passing tokens.

Solution / Mitigation

This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

March 26, 2026

Classification

Attack Type

PII Leakage

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-598

Affected Vendors

Related Issues

medium

CVE-2026-2589: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure

Similar attackNVD/CVE Database

high

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

First tracked: March 26, 2026 at 08:07 PM

Classified by LLM (prompt v3) · confidence: 85%