Cyber Resilience

CVE-2026-8950

Critical

Published: 19 May 2026

Published
19 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0019 9.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8950 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Mozilla Firefox. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

SOP bypass in browser HTTP component directly enables cross-origin session/token theft and hijacking.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2790Same product: Mozilla Firefox
CVE-2026-6768Same product: Mozilla Firefox
CVE-2025-8031Same product: Mozilla Firefox
CVE-2026-2781Same product: Mozilla Firefox
CVE-2026-6771Same product: Mozilla Firefox
CVE-2026-0881Same product: Mozilla Firefox
CVE-2026-2768Same product: Mozilla Firefox
CVE-2026-8968Same product: Mozilla Firefox
CVE-2026-8960Same product: Mozilla Firefox
CVE-2026-0878Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.11.0 · ≤ 151.0.0
mozilla
thunderbird
≤ 140.11 · ≤ 151.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References