Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12304

CVE-2026-12304: Mozilla Firefox Auth Bypass Vulnerability

CVE-2026-12304 is a same-origin policy bypass flaw in Mozilla Firefox's Networking: Cookies component that undermines browser security protections. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12304 Overview

CVE-2026-12304 is a same-origin policy (SOP) bypass in the Networking: Cookies component of Mozilla Firefox and Mozilla Thunderbird. The flaw maps to [CWE-346: Origin Validation Error] and allows a remote attacker to read or manipulate cookies across origin boundaries without user interaction. Mozilla addressed the issue in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Attackers can exploit the vulnerability over the network at low complexity, with no privileges or user interaction required. Successful exploitation impacts both confidentiality and integrity of cookie-bound session data.

Critical Impact

A malicious web page can bypass the same-origin policy in the cookie subsystem, enabling theft or tampering of cookies belonging to unrelated origins and leading to session hijacking against authenticated web applications.

Affected Products

  • Mozilla Firefox versions prior to 152
  • Mozilla Firefox ESR versions prior to 140.12
  • Mozilla Thunderbird versions prior to 152 and Thunderbird ESR prior to 140.12

Discovery Timeline

  • 2026-06-16 - CVE-2026-12304 published to the National Vulnerability Database
  • 2026-06-17 - CVE-2026-12304 record last modified in NVD

Technical Details for CVE-2026-12304

Vulnerability Analysis

The vulnerability resides in the cookie networking layer that enforces the same-origin policy when scripts and subresource requests access stored cookies. Improper origin validation in this code path allows a document served from one origin to influence cookie scope checks for another origin.

Because cookies frequently carry session identifiers, authentication tokens, and CSRF defenses, an SOP bypass in this subsystem directly weakens the trust boundary between web applications. An attacker hosting a crafted page can coerce the browser into associating, returning, or modifying cookies that should remain isolated to a different origin.

Thunderbird inherits the same Gecko platform code, so message previews that load remote content can trigger the same condition when remote content is enabled.

Root Cause

The defect is categorized as an origin validation error ([CWE-346]). The cookie component fails to consistently bind cookie access decisions to the originating security principal, producing a state where origin attributes are either omitted or compared incorrectly during cookie storage or retrieval. Mozilla's security advisories MFSA-2026-57, MFSA-2026-58, MFSA-2026-60, and MFSA-2026-61 document the corresponding fixes shipped across desktop and ESR channels.

Attack Vector

Exploitation requires only that a victim visit an attacker-controlled URL in a vulnerable Firefox build, or that a Thunderbird user view an HTML message with remote content enabled. No credentials, prompts, or extensions are required. Once the SOP check is subverted, the attacker can issue cross-origin requests whose cookies are processed against the wrong principal, exfiltrating session state or planting attacker-chosen values into authenticated sessions.

No public proof-of-concept code is listed in the Mozilla Bug Report #2034944 at the time of publication, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-12304

Indicators of Compromise

  • Firefox or Thunderbird processes initiating outbound HTTP/S connections to unfamiliar domains immediately after rendering attacker-controlled content.
  • Web application server logs showing valid session cookies arriving from unexpected Referer or Origin headers.
  • Anomalous Set-Cookie responses being honored against domains that did not issue them, observable in proxy logs.

Detection Strategies

  • Inventory browser versions across the fleet and flag any Firefox build below 152 or ESR below 140.12, and Thunderbird below 152 or ESR 140.12.
  • Correlate browser process telemetry with downstream authentication anomalies such as session reuse from new IP addresses or geolocations.
  • Inspect HTTP proxy or web gateway logs for cross-origin cookie patterns that should be blocked by same-origin enforcement.

Monitoring Recommendations

  • Centralize endpoint and browser telemetry in a SIEM or data lake to detect post-exploitation session abuse linked to a vulnerable browser version.
  • Alert on unexpected child processes, credential file access, or token theft originating from firefox.exe, firefox, or thunderbird binaries.
  • Track authentication events that follow a browser version mismatch to prioritize incident response on unpatched hosts. The Singularity Data Lake can ingest browser, proxy, and identity telemetry through OCSF normalization to support this correlation.

How to Mitigate CVE-2026-12304

Immediate Actions Required

  • Upgrade Firefox to 152, Firefox ESR to 140.12, Thunderbird to 152, and Thunderbird ESR to 140.12 across all managed endpoints.
  • Force browser relaunches after deployment so the patched binaries replace the in-memory runtime.
  • Invalidate active web application sessions for users who browsed untrusted sites on vulnerable builds, and rotate any high-value authentication cookies.

Patch Information

Mozilla released the fix in the advisories MFSA-2026-57, MFSA-2026-58, MFSA-2026-60, and MFSA-2026-61. Apply vendor-supplied updates through standard package managers, enterprise update servers, or the built-in Firefox and Thunderbird updaters. Singularity Endpoint can surface outdated browser versions through application inventory data to support patch validation.

Workarounds

  • Disable remote content rendering in Thunderbird until the update is applied, reducing exposure from HTML messages.
  • Restrict access to untrusted web content on hosts that cannot be immediately patched, for example by routing traffic through a filtering proxy.
  • Encourage users to sign out of sensitive web applications and clear cookies after browsing sessions until updates are deployed.
bash
# Verify installed Firefox version on Linux endpoints
firefox --version

# Example Windows policy check (PowerShell) to enumerate installed builds
Get-ItemProperty 'HKLM:\Software\Mozilla\Mozilla Firefox' | Select-Object CurrentVersion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne