CVE-2026-30834

Name of the Vulnerable Software and Affected Versions PinchTab versions prior to 0.7.7

Description PinchTab is a standalone HTTP server designed to provide AI agents with direct control over a Chrome browser. A Server-Side Request Forgery (SSRF) condition exists in the /download endpoint. This allows a user with API access to force the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and then retrieve the full response content. The vulnerability is located in the GET /download?url=<url> handler within the download.go file, specifically at line 78, where the user-controlled url parameter is passed to chromedp.Navigate(dlURL) without proper validation. This allows access to local files using the file:// scheme, internal services, and cloud metadata endpoints. The server then returns the captured response body to the attacker, enabling the exfiltration of sensitive data.

Recommendations Update PinchTab to version 0.7.7 or later.