CVE-2026-4728
Published: 24 March 2026
Summary
CVE-2026-4728 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-4728 is a spoofing vulnerability (CWE-290) in the Privacy: Anti-Tracking component of Mozilla Firefox and Thunderbird. The issue allows attackers to bypass authentication mechanisms through spoofing, earning a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N), classified as medium severity. It was addressed in Firefox version 149 and Thunderbird version 149.
The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity, but requires user interaction to succeed. Successful exploitation results in high integrity impact, enabling attackers to spoof anti-tracking protections without affecting confidentiality or availability.
Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) detail the fix, recommending immediate upgrade to Firefox 149 or Thunderbird 149. Additional technical details are available in Bugzilla entry 2013179.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14871
Vulnerability details
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Spoofing-based auth bypass in browser anti-tracking directly enables adversary-in-the-middle attacks by allowing forged or impersonated tracking/auth signals.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the Firefox/Thunderbird 149 patch that eliminates the spoofing flaw in the Anti-Tracking component.
Verifies integrity of browser binaries and configuration to ensure the spoofing vulnerability has not been introduced or exploited.
Enables discovery of unpatched Firefox/Thunderbird instances that remain susceptible to the CWE-290 spoofing bypass.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-290
RHEL 7 (1 rule)
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-290
RHEL 8 (1 rule)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-290