Cyber Posture

CVE-2026-33623

MediumPublic PoCRCE

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0003 7.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33623 is a medium-severity OS Command Injection (CWE-78) vulnerability in Pinchtab Pinchtab. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation and sanitization of the profile path input to neutralize PowerShell metacharacters and prevent command injection during cleanup.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation by applying patches like v0.8.5 that fix the unsafe string interpolation in the PowerShell command construction.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for the PinchTab process user to limit the scope and impact of arbitrary PowerShell commands executed in its security context.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in HTTP server (PinchTab) directly enables exploitation of public-facing application for RCE; unsafe PowerShell -Command interpolation allows arbitrary command execution via T1059.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds…

more

a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.

Deeper analysisAI

CVE-2026-33623 is a Windows-only command injection vulnerability in PinchTab version 0.8.4, a standalone HTTP server designed to give AI agents direct control over a Chrome browser. The issue resides in the orphaned Chrome cleanup path, where stopping an instance triggers a Windows cleanup routine that constructs a PowerShell `-Command` string using a `needle` derived from the profile path. This string interpolation properly escapes backslashes but fails to neutralize other PowerShell metacharacters, enabling injection of arbitrary commands. The vulnerability is classified under CWE-78 (OS Command Injection) and CWE-400 (Uncontrolled Resource Consumption), with a CVSS v3.1 base score of 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L).

Exploitation requires an attacker with authenticated, administrative-equivalent API access to PinchTab's instance lifecycle endpoints. The attacker launches an instance using a crafted profile name containing malicious PowerShell metacharacters, then triggers the cleanup path by stopping the instance. This results in arbitrary PowerShell command execution on the Windows host, but strictly within the security context and permissions of the PinchTab process user. It does not enable unauthenticated remote code execution from the internet or bypass host privilege boundaries.

The GitHub security advisory (GHSA-p8mm-644p-phmh) and associated commit (25b3374bdcdf0dad32c44d5d726bf953238cd8bd) detail the patch in PinchTab version 0.8.5, which addresses the unsafe string interpolation in the cleanup routine.

PinchTab's role in enabling AI agents to control browsers introduces relevance to AI/ML deployments, though no real-world exploitation has been reported.

Details

CWE(s)
CWE-78CWE-400

Affected Products

pinchtab
pinchtab
≤ 0.8.5

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2026-30834Same product: Pinchtab Pinchtab
CVE-2026-33622Same product: Pinchtab Pinchtab
CVE-2026-30312Shared CWE-78
CVE-2026-42076Shared CWE-78
CVE-2026-25130Shared CWE-78
CVE-2026-33718Shared CWE-78
CVE-2026-34940Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2026-39420Shared CWE-78
CVE-2025-60803Shared CWE-78

References