Description
A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure.
Published: 2026-06-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A security flaw has been discovered in Browserbase Skills up to version 20260526. The vulnerability lies in an unknown function of the Autobrowse Trace Artifact Handler component, where manipulation causes trace artifact files to be created with incorrect default permissions. The attack requires local access; once local access is achieved, any local user can read, modify, or delete trace files, potentially exposing sensitive data or corrupting logs. The exploit has been publicly released, and the CVE initially listed Browserbase as the affected product; the issue actually impacts Browserbase/skills and the vendor has been notified early.

Affected Systems

All instances of Browserbase Skills released through 20260526 are affected. No other vendors or products are enumerated. The vulnerability resides specifically in the Autobrowse Trace Artifact Handler component and does not impact other components of Browserbase Skills.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, but public proof‑of‑concept material confirms that the issue is exploitable, and the vendor has been notified. The attack requires a local approach, so an attacker must already have local system access. Once local access is achieved, the attacker can exploit the insecure permissions to read or modify trace artifacts.

Generated by OpenCVE AI on July 11, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Browserbase Skills to a version newer than 20260526 if a vendor patch has been released.
  • If an immediate upgrade is not possible, change the permissions on the trace artifact directory to deny write access to unprivileged users.
  • Implement monitoring or audit logging for the trace artifact directory to detect unauthorized modifications.

Generated by OpenCVE AI on July 11, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The first version of the CVE listed Browserbase itself as affected product. This was incorrect as this issue does affect browserbase/skills instead. The vendor was contacted early about this disclosure.
Title Browserbase Autobrowse Trace Artifact default permission Browserbase Skills Autobrowse Trace Artifact default permission
First Time appeared Browserbase skills
CPEs cpe:2.3:a:browserbase:browserbase:*:*:*:*:*:*:*:* cpe:2.3:a:browserbase:skills:*:*:*:*:*:*:*:*
Vendors & Products Browserbase skills

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Browserbase Autobrowse Trace Artifact default permission
First Time appeared Browserbase
Browserbase browserbase
Weaknesses CWE-266
CWE-276
CPEs cpe:2.3:a:browserbase:browserbase:*:*:*:*:*:*:*:*
Vendors & Products Browserbase
Browserbase browserbase
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Browserbase Browserbase Skills
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-03T04:05:07.713Z

Reserved: 2026-06-21T13:17:40.650Z

Link: CVE-2026-12823

cve-icon Vulnrichment

Updated: 2026-06-23T14:02:41.157Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-11T10:00:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-276

    Incorrect Default Permissions