CVE-2026-33621: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` throug
Summary
PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome browser, but versions 0.7.7 through 0.8.4 had incomplete protections against brute-force attacks (rapid repeated requests) on endpoints that check authentication tokens. The middleware (software layer that filters requests) designed to limit requests per IP address was either not activated or had flaws like trusting client-controlled headers, making it easier for attackers to guess weak passwords if they could reach the API.
Solution / Mitigation
This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.
Vulnerability Details
4.8(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
network
high
none
none
March 26, 2026
Classification
Affected Vendors
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33621
First tracked: March 26, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 85%