CVE-2026-33620

Name of the Vulnerable Software and Affected Versions PinchTab versions v0.7.8 through v0.8.3

Description PinchTab versions v0.7.8 through v0.8.3 accepted API tokens from both the Authorization header and a token URL query parameter. When a valid API credential was sent in the URL, it could be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems. This is an unsafe credential transport pattern, not a direct authentication bypass, and only affected deployments where a token was configured and a client used the query-parameter form. The v0.8.3 version included first-party flows that generated and consumed URLs containing the token. The issue was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows. The vulnerable code accepted credentials from the URL query string in internal/handlers/middleware.go. The v0.8.3 dashboard frontend also supported one-click login from the query-string token. The exposure depended on surrounding systems recording the full URL.

Recommendations Versions v0.7.8 through v0.8.3 should be updated to v0.8.4 or later.