Cyber Resilience

CVE-2026-4728

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0024 14.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4728 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4728 is a spoofing vulnerability (CWE-290) in the Privacy: Anti-Tracking component of Mozilla Firefox and Thunderbird. The issue allows attackers to bypass authentication mechanisms through spoofing, earning a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N), classified as medium severity. It was addressed in Firefox version 149 and Thunderbird version 149.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity, but requires user interaction to succeed. Successful exploitation results in high integrity impact, enabling attackers to spoof anti-tracking protections without affecting confidentiality or availability.

Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) detail the fix, recommending immediate upgrade to Firefox 149 or Thunderbird 149. Additional technical details are available in Bugzilla entry 2013179.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Spoofing-based auth bypass in browser anti-tracking directly enables adversary-in-the-middle attacks by allowing forged or impersonated tracking/auth signals.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3029Same product: Mozilla Firefox
CVE-2026-8963Same product: Mozilla Firefox
CVE-2024-10465Same product: Mozilla Firefox
CVE-2026-6762Same product: Mozilla Firefox
CVE-2026-2800Same product: Mozilla Firefox
CVE-2024-11701Same product: Mozilla Firefox
CVE-2026-8960Same product: Mozilla Firefox
CVE-2024-10462Same product: Mozilla Firefox
CVE-2023-32207Same product: Mozilla Firefox
CVE-2021-23984Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 149.0
mozilla
thunderbird
≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the Firefox/Thunderbird 149 patch that eliminates the spoofing flaw in the Anti-Tracking component.

preventdetect

Verifies integrity of browser binaries and configuration to ensure the spoofing vulnerability has not been introduced or exploited.

detect

Enables discovery of unpatched Firefox/Thunderbird instances that remain susceptible to the CWE-290 spoofing bypass.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248827 OL 8 must not have the rsh-server package installed. via CWE-290
RHEL 7 (1 rule)
  • V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-290
RHEL 8 (1 rule)
  • V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-290

References