What is CVE-2026-33620?

CVE-2026-33620 describes a medium-severity vulnerability affecting PinchTab versions 0.7.8 through 0.8.3. The issue involves the exposure of API tokens through URL query parameters, leading to potential credential leakage. Immediate action is recommended to mitigate risks.

What is the severity of CVE-2026-33620?

CVE-2026-33620 has a severity rating of MEDIUM with a CVSS base score of 4.3.

CVE-2026-33620 | Medium Vulnerability in PinchTab

CVE-2026-33620 is a medium-severity vulnerability affecting PinchTab, a standalone HTTP server that facilitates direct control of a Chrome browser by AI agents. Versions 0.7.8 through 0.8.3 of PinchTab accepted API tokens from a `token` URL query parameter, in addition to the `Authorization` header. Sending valid API credentials via URL can lead to exposure through intermediaries or client-side tools, such as reverse proxy access logs, browser history, shell history, and clipboard history. This vulnerability is categorized as an unsafe credential transport pattern rather than a direct authentication bypass.

Risk to organizations includes potential unauthorized access to sensitive resources, as the vulnerability only affects deployments where a token is configured and utilized in the query-parameter form. Although PinchTab's security guidance recommended using the `Authorization: Bearer <token>` method, version 0.8.3 still accepted the `?token=` format, which poses a security risk. The issue was effectively addressed in version 0.8.4 by eliminating query-string token authentication and enforcing safer header- or session-based authentication procedures.

Organizations using vulnerable versions should prioritize patching to version 0.8.4 or later to mitigate this vulnerability. As of the latest updates, this vulnerability has not been listed in the Known Exploited Vulnerabilities (KEV) catalog, indicating that there have been no confirmed public exploits or active exploitation.

Organizations should assess their exposure to this vulnerability and implement necessary controls, particularly if they are utilizing PinchTab versions affected by this issue.

Vulnerability Details

The official description outlines that PinchTab versions between 0.7.8 and 0.8.3 are vulnerable due to their acceptance of API tokens via URL query parameters. The CVSS score for this vulnerability is 4.3, categorized as medium severity. It impacts confidentiality because tokens can be logged by various systems, though there is no integrity or availability impact.

Technical Analysis

The root cause of this vulnerability is the insecure transport of API tokens through URL parameters. The attack vector is network-based, and the complexity is low, as user interaction is required to initiate the request. No special privileges are needed to exploit this vulnerability, making it accessible to potential attackers. The impact on confidentiality is low, while there are no impacts on integrity or availability.

Risk & Impact Analysis

The real-world risk posed by CVE-2026-33620 includes the possibility of unauthorized access to sensitive information through the exposure of API tokens. Organizations should consider the potential blast radius, especially if the vulnerable versions are widely deployed across their systems. Given the medium severity score, organizations should address this vulnerability in their patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

PinchTab versions 0.7.8 through 0.8.3 are affected by this vulnerability. Users should upgrade to version 0.8.4 or later to remediate the issue.

Mitigation & Remediation

Organizations should patch their installations of PinchTab to version 0.8.4 immediately. In cases where patching is not feasible, organizations should consider implementing network controls to limit access to the affected API endpoints and review their logging practices to ensure sensitive information is not stored in logs.

Detection Guidance

Monitor logs for any references to the `?token=` parameter in requests. Additionally, review any intermediary logs that may capture full URLs, as they may contain sensitive API tokens.

AppSecure Threat Intelligence Insight

CVE-2026-33620 highlights the importance of secure credential storage and transmission practices. Organizations should implement best practices for API security, including avoiding the use of query parameters for sensitive tokens. Security teams should remain vigilant, regularly audit their systems, and ensure compliance with recommended security guidance.

To learn more about effective security strategies, organizations can benefit from investigating our penetration testing services to enhance their security posture.

Additionally, keeping abreast of ongoing trends in vulnerability exposure can help organizations better prepare for potential threats.

For more insights, review our vulnerability management program design strategies.

Finally, consider our penetration testing methodology for a comprehensive approach to securing your applications.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-33620: Medium Vulnerability in PinchTab