Description
A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A security flaw in Browserbase's Autobrowse Trace Artifact Handler causes the system to create trace artifact files with incorrect default permissions. This misconfiguration can allow an attacker with local access to read or alter the files, potentially exposing sensitive data or modifying trace information. The weakness reflects improper privilege handling (CWE‑266) and incorrect permission assignment (CWE‑276).

Affected Systems

The vulnerability affects all instances of Browserbase software released up to and including version 20260526. The affected component is the Autobrowse Trace Artifact Handler within Browserbase. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the EPSS score is not available. While the attack requires a local approach, the publicly released exploit suggests that an attacker who can execute code locally on the machine running Browserbase may use the vulnerability to read or modify trace artifacts. Since it is not documented in the CISA KEV catalog, no known large-scale exploits are reported yet, but the local nature of the attack limits the threat to environments where an attacker can gain local execution.

Generated by OpenCVE AI on June 22, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Browserbase to a version newer than 20260526, which includes a fix for the default permission issue.
  • If an immediate update is not possible, correct the permissions on the trace artifact storage directory to restrict read/write access to the application’s user only.
  • Monitor the file system for abnormal changes to trace artifact files and enforce strict audit policies.

Generated by OpenCVE AI on June 22, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Browserbase Autobrowse Trace Artifact default permission
First Time appeared Browserbase
Browserbase browserbase
Weaknesses CWE-266
CWE-276
CPEs cpe:2.3:a:browserbase:browserbase:*:*:*:*:*:*:*:*
Vendors & Products Browserbase
Browserbase browserbase
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Browserbase Browserbase
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T23:45:08.247Z

Reserved: 2026-06-21T13:17:40.650Z

Link: CVE-2026-12823

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T01:30:06Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-276

    Incorrect Default Permissions