CVE-2026-33622 Overview
CVE-2026-33622 is a Code Injection vulnerability affecting PinchTab, a standalone HTTP server that provides AI agents with direct control over a Chrome browser. The vulnerability allows arbitrary JavaScript execution through the POST /wait and POST /tabs/{id}/wait endpoints when using fn mode, even when the security.allowEvaluate configuration option is explicitly disabled.
Critical Impact
Authenticated attackers can bypass security policy controls to execute arbitrary JavaScript code in browser tab contexts, potentially leading to data theft, session hijacking, or malicious browser automation despite operators explicitly disabling JavaScript evaluation capabilities.
Affected Products
- PinchTab v0.8.3
- PinchTab v0.8.4
- PinchTab v0.8.5
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33622 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33622
Vulnerability Analysis
This vulnerability represents a security policy bypass in PinchTab's request handling logic. The POST /evaluate endpoint correctly enforces the security.allowEvaluate guard, which is disabled by default to prevent arbitrary JavaScript execution. However, the POST /wait endpoint accepts a user-controlled fn expression and embeds it directly into executable JavaScript without performing the same security policy validation.
The core issue stems from inconsistent security boundary enforcement across functionally similar endpoints. While one code path properly validates the security configuration before allowing code evaluation, the alternate path through /wait completely bypasses this check, creating a gap that authenticated users can exploit.
Root Cause
The root cause is inconsistent application of the security.allowEvaluate policy across different API endpoints. The /wait endpoint's fn mode functionality directly evaluates user-supplied JavaScript expressions in the browser context without consulting the same policy guard that protects the /evaluate endpoint. This allows attackers with valid API authentication to circumvent the operator's explicit security configuration.
Attack Vector
The attack vector is network-based and requires authenticated API access. An attacker with a valid server token can send crafted requests to the /wait or /tabs/{id}/wait endpoints using fn mode. The user-controlled fn expression is embedded directly into executable JavaScript and evaluated in the target browser tab's context. While exploitation requires prior authentication, this bypasses the security policy that operators may have enabled specifically to prevent such code execution scenarios.
The vulnerability manifests when the request processing logic for /wait endpoints fails to check the security.allowEvaluate setting before accepting and executing the fn parameter contents. This allows callers to effectively perform the same operations blocked by /evaluate through an alternate, unprotected code path. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33622
Indicators of Compromise
- Unusual API requests to /wait or /tabs/{id}/wait endpoints containing fn mode parameters
- Server logs showing JavaScript evaluation attempts after security.allowEvaluate was disabled
- Unexpected browser automation behavior or tab manipulation in monitored Chrome instances
- Authentication tokens being used from unexpected source IP addresses or at unusual times
Detection Strategies
- Monitor API request logs for /wait endpoint calls containing fn parameters, especially in environments where JavaScript evaluation is disabled
- Implement request payload inspection to detect JavaScript code patterns in /wait endpoint requests
- Deploy network monitoring to identify anomalous patterns in PinchTab API traffic
- Configure alerting for any successful JavaScript evaluation events when security.allowEvaluate is set to false
Monitoring Recommendations
- Enable verbose logging for all PinchTab API endpoints to capture full request payloads
- Implement centralized log collection and analysis for PinchTab server instances
- Set up real-time alerts for requests to /wait endpoints that contain potential code execution patterns
- Regularly audit API access tokens and revoke any that are no longer needed or may be compromised
How to Mitigate CVE-2026-33622
Immediate Actions Required
- Review all active PinchTab deployments to identify instances running affected versions (v0.8.3 through v0.8.5)
- Restrict network access to PinchTab servers to only trusted sources via firewall rules
- Audit API access tokens and revoke any tokens that may have been compromised or are no longer required
- Implement additional network segmentation to isolate PinchTab servers from sensitive systems
Patch Information
As of the publication date (2026-03-26), a patched version is not yet available. The fix will apply the same security.allowEvaluate policy boundary to fn mode in /wait that already exists on /evaluate, while preserving non-code wait modes. Users should monitor the GitHub Security Advisory for patch release announcements and update immediately when a patched version becomes available.
Workarounds
- Implement strict network-level access controls to limit which systems can reach the PinchTab API
- Use a reverse proxy or Web Application Firewall (WAF) to filter requests containing fn parameters to /wait endpoints
- Rotate and strictly limit distribution of API server tokens to only essential, trusted clients
- Consider temporarily disabling PinchTab deployments in security-sensitive environments until a patch is available
# Example: Restrict access to PinchTab server using iptables
# Allow only trusted IP addresses to connect to PinchTab port (default: 3000)
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
