Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Skills by Browserbase

    CVE-2026-12823 (GCVE-0-2026-12823)

    Vulnerability from nvd – Published: 2026-06-21 23:45 – Updated: 2026-07-03 04:05
    VLAI
    Title
    Browserbase Skills Autobrowse Trace Artifact default permission
    Summary
    A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Browserbase Skills Affected: 20260526
        cpe:2.3:a:browserbase:skills:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    vaibhavnarkhede (VulDB User) vaibhavnarkhede (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12823",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:02:23.565503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:19:20.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:browserbase:skills:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Autobrowse Trace Artifact Handler"
              ],
              "product": "Skills",
              "vendor": "Browserbase",
              "versions": [
                {
                  "status": "affected",
                  "version": "20260526"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "vaibhavnarkhede (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "vaibhavnarkhede (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 1.7,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:05:07.713Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-372613 | Browserbase Skills Autobrowse Trace Artifact default permission",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/372613"
            },
            {
              "name": "VDB-372613 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/372613/cti"
            },
            {
              "name": "CVE-2026-12823 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-12823"
            },
            {
              "name": "Submit #837600 | Browserbase Browserbase Skills latest main branch prior to fix (tested May 2026) Information Disclosure / Insecure File Permissions",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/837600"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-12823%20-%20Browserbase%20Skills%20Autobrowse%20Trace%20Artifact%20Insecure%20File%20Permissions/Advisory.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-12823%20-%20Browserbase%20Skills%20Autobrowse%20Trace%20Artifact%20Insecure%20File%20Permissions/poc.sh"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-21T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-21T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-03T06:09:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Browserbase Skills Autobrowse Trace Artifact default permission"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-12823",
        "datePublished": "2026-06-21T23:45:08.247Z",
        "dateReserved": "2026-06-21T13:17:40.650Z",
        "dateUpdated": "2026-07-03T04:05:07.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12823 (GCVE-0-2026-12823)

    Vulnerability from cvelistv5 – Published: 2026-06-21 23:45 – Updated: 2026-07-03 04:05
    VLAI
    Title
    Browserbase Skills Autobrowse Trace Artifact default permission
    Summary
    A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Browserbase Skills Affected: 20260526
        cpe:2.3:a:browserbase:skills:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    vaibhavnarkhede (VulDB User) vaibhavnarkhede (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12823",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:02:23.565503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:19:20.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:browserbase:skills:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Autobrowse Trace Artifact Handler"
              ],
              "product": "Skills",
              "vendor": "Browserbase",
              "versions": [
                {
                  "status": "affected",
                  "version": "20260526"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "vaibhavnarkhede (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "vaibhavnarkhede (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 1.7,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:05:07.713Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-372613 | Browserbase Skills Autobrowse Trace Artifact default permission",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/372613"
            },
            {
              "name": "VDB-372613 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/372613/cti"
            },
            {
              "name": "CVE-2026-12823 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-12823"
            },
            {
              "name": "Submit #837600 | Browserbase Browserbase Skills latest main branch prior to fix (tested May 2026) Information Disclosure / Insecure File Permissions",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/837600"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-12823%20-%20Browserbase%20Skills%20Autobrowse%20Trace%20Artifact%20Insecure%20File%20Permissions/Advisory.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-12823%20-%20Browserbase%20Skills%20Autobrowse%20Trace%20Artifact%20Insecure%20File%20Permissions/poc.sh"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-21T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-21T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-03T06:09:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Browserbase Skills Autobrowse Trace Artifact default permission"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-12823",
        "datePublished": "2026-06-21T23:45:08.247Z",
        "dateReserved": "2026-06-21T13:17:40.650Z",
        "dateUpdated": "2026-07-03T04:05:07.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }