Pinchtab · Pinchtab · CVE-2026-33620
**Name of the Vulnerable Software and Affected Versions**
PinchTab versions v0.7.8 through v0.8.3
**Description**
PinchTab versions v0.7.8 through v0.8.3 accepted API tokens from both the `Authorization` header and a `token` URL query parameter. When a valid API credential was sent in the URL, it could be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems. This is an unsafe credential transport pattern, not a direct authentication bypass, and only affected deployments where a token was configured and a client used the query-parameter form. The `v0.8.3` version included first-party flows that generated and consumed URLs containing the token. The issue was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows. The vulnerable code accepted credentials from the URL query string in `internal/handlers/middleware.go`. The `v0.8.3` dashboard frontend also supported one-click login from the query-string token. The exposure depended on surrounding systems recording the full URL.
**Recommendations**
Versions v0.7.8 through v0.8.3 should be updated to v0.8.4 or later.