Cyber Posture

CVE-2026-33622

HighPublic PoCRCE

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33622 is a high-severity Code Injection (CWE-94) vulnerability in Pinchtab Pinchtab. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-18 (Mobile Code).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates and sanitizes user-controlled 'fn' inputs in /wait endpoints to prevent code injection of arbitrary JavaScript into the browser context.

AC-3 Access Enforcement good match
prevent

Enforces configured security policies like security.allowEvaluate across all relevant endpoints, blocking policy bypasses for JavaScript execution.

SC-18 Mobile Code good match
prevent

Restricts execution of unauthorized mobile code, such as arbitrary JavaScript injected via server endpoints into controlled browser tabs.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Direct arbitrary JavaScript execution in browser context via authenticated API bypass (CWE-94) maps to T1059.007; enables session hijacking and related browser actions as described in impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is…

more

disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.

Deeper analysisAI

CVE-2026-33622 is a security-policy bypass vulnerability in PinchTab, a standalone HTTP server that enables AI agents to directly control a Chrome browser. The issue affects versions v0.8.3 through v0.8.5 and allows arbitrary JavaScript execution via POST /wait and POST /tabs/{id}/wait endpoints when using "fn" mode, even if the security.allowEvaluate configuration is disabled. While POST /evaluate properly enforces this guard (disabled by default), the /wait endpoints embed user-controlled "fn" expressions directly into executable JavaScript in the browser context without the same check, classified under CWE-94 (code injection), CWE-284 (improper access control), and CWE-693 (protection mechanism failure). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires authenticated API access using a valid server token, meaning a caller with legitimate credentials can bypass the operator's explicit disablement of JavaScript evaluation to run arbitrary code in a tab's browser context. This enables high-impact compromise of confidentiality, integrity, and availability within the controlled browser environment, such as data exfiltration, session hijacking, or malicious actions on behalf of the AI agent.

The GitHub security advisory (GHSA-w5pc-m664-r62v) details that the fix applies the existing security.allowEvaluate policy boundary to "fn" mode in /wait endpoints, mirroring the enforcement on /evaluate while preserving non-code wait modes. As of the CVE publication on 2026-03-26, no patched version is available.

PinchTab's design for AI agent browser control introduces risks in AI/ML workflows where agents interact with web environments, though no real-world exploitation has been reported at time of publication.

Details

CWE(s)
CWE-94CWE-284CWE-693

Affected Products

pinchtab
pinchtab
0.8.3 — 0.8.5

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2026-33623Same product: Pinchtab Pinchtab
CVE-2026-30834Same product: Pinchtab Pinchtab
CVE-2026-22686Shared CWE-693, CWE-94
CVE-2026-39421Shared CWE-693, CWE-94
CVE-2026-26332Shared CWE-693, CWE-94
CVE-2026-24118Shared CWE-693, CWE-94
CVE-2026-24781Shared CWE-693, CWE-94
CVE-2026-33309Shared CWE-284, CWE-94
CVE-2026-30855Shared CWE-284
CVE-2026-25807Shared CWE-94

References