CVE-2026-33619 Overview
CVE-2026-33619 is a Server-Side Request Forgery (SSRF) vulnerability in PinchTab, a standalone HTTP server that gives AI agents direct control over a Chrome browser. The vulnerability exists in the optional scheduler's webhook delivery path in version 0.8.3. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the scheduler sends an outbound HTTP POST to that URL when the task reaches a terminal state. The vulnerable implementation validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations, enabling blind SSRF attacks.
Critical Impact
Attackers with task submission access can exploit the webhook callback mechanism to perform blind SSRF attacks, reaching internal HTTP(S) targets from the PinchTab server including cloud metadata endpoints and internal services.
Affected Products
- PinchTab version 0.8.3
- Deployments with the optional scheduler feature enabled
- Tokenless deployments (increased exposure)
Discovery Timeline
- 2026-03-26 - CVE-2026-33619 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33619
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in PinchTab's optional scheduler component within the webhook delivery functionality. The root issue stems from insufficient validation of user-supplied callbackUrl parameters when tasks are submitted via the POST /tasks endpoint. In the affected v0.8.3 release, the application only performed URL scheme validation (HTTP/HTTPS) without implementing proper destination restrictions.
The vulnerability allows attackers to craft malicious callback URLs targeting internal network resources, cloud metadata services (such as 169.254.169.254), or other sensitive endpoints accessible from the PinchTab server. The impact is somewhat mitigated by several factors: the scheduler is optional and disabled by default, token-protected deployments require the master API token for task submission, and PinchTab's default deployment model is local-first with loopback binding.
Root Cause
The vulnerability originated from incomplete URL validation in the webhook delivery path. The v0.8.3 implementation:
- Validated only the URL scheme (HTTP/HTTPS)
- Failed to reject loopback addresses (127.0.0.1, localhost)
- Did not block private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Allowed link-local addresses (169.254.0.0/16)
- Used default HTTP client behavior that followed redirects
- Did not pin connections to validated IP addresses, allowing DNS rebinding attacks
Attack Vector
The attack requires network access and elevated privileges (task submission capability). An attacker with the ability to submit tasks can:
- Submit a task to POST /tasks with a malicious callbackUrl pointing to an internal target
- Wait for the task to reach a terminal state
- The scheduler automatically sends an HTTP POST to the attacker-controlled URL
- Internal services receive requests from the trusted PinchTab server
The security patch in v0.8.4 addressed these issues by implementing comprehensive callback target validation:
handleConfigGet(args[0])
},
})
- configCmd.AddCommand(&cobra.Command{
+ configSetCmd := &cobra.Command{
Use: "set <path> <val>",
Short: "Set a config value (e.g., server.port 8080)",
Args: cobra.ExactArgs(2),
Run: func(cmd *cobra.Command, args []string) {
handleConfigSet(args[0], args[1])
},
-})
+}
+// Allow values like "--no-sandbox --disable-gpu" after the config path.
+configSetCmd.Flags().SetInterspersed(false)
+configCmd.AddCommand(configSetCmd)
configCmd.AddCommand(&cobra.Command{
Use: "patch <json>",
Short: "Merge JSON into config",
Source: GitHub Commit c824574
Detection Methods for CVE-2026-33619
Indicators of Compromise
- Outbound HTTP requests from PinchTab server to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the PinchTab process
- Unusual callbackUrl values in task submission logs containing loopback or private addresses
- HTTP redirects being followed to internal destinations from webhook delivery
Detection Strategies
- Monitor PinchTab task submission logs for callbackUrl parameters containing internal or loopback IP addresses
- Implement network egress monitoring to detect outbound connections from the PinchTab server to private IP ranges
- Deploy web application firewall rules to inspect and block suspicious callback URL patterns
- Review PinchTab scheduler logs for webhook delivery attempts to non-public destinations
Monitoring Recommendations
- Enable verbose logging for the PinchTab scheduler component to capture all webhook delivery attempts
- Configure network intrusion detection systems (IDS) to alert on SSRF-characteristic traffic patterns
- Implement DNS query logging to detect potential DNS rebinding attempts
- Set up alerting for any outbound connections from PinchTab to RFC1918 private address ranges
How to Mitigate CVE-2026-33619
Immediate Actions Required
- Upgrade PinchTab to version 0.8.4 or later immediately
- Disable the optional scheduler feature if not required until patching is complete
- Ensure token-based authentication is enabled on all PinchTab deployments
- Review and audit existing task configurations for suspicious callbackUrl values
- Implement network-level egress filtering to block outbound requests to internal IP ranges
Patch Information
The vulnerability was addressed in PinchTab v0.8.4 with comprehensive fixes including validation of callback targets before dispatch, rejection of non-public IP ranges, IP pinning for webhook delivery, disabling redirect following, and validation of callbackUrl during task submission. The patch is available via the GitHub Release v0.8.4. Additional technical details can be found in the GitHub Security Advisory GHSA-xqq2-4j46-vwp7.
Workarounds
- Disable the scheduler feature entirely by removing or commenting out scheduler configuration
- Implement network-level egress filtering to prevent the PinchTab server from reaching internal resources
- Deploy a reverse proxy in front of PinchTab to validate and sanitize callback URLs before task submission
- Use firewall rules to restrict outbound HTTP connections from the PinchTab server to an allowlist of known-safe external destinations
# Example: iptables rules to block outbound connections to private ranges
iptables -A OUTPUT -m owner --uid-owner pinchtab -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner pinchtab -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner pinchtab -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner pinchtab -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner pinchtab -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
