Description
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems that capture full URLs. This issue is an unsafe credential transport pattern rather than a direct authentication bypass. It only affects deployments where a token is configured and a client actually uses the query-parameter form. PinchTab's security guidance already recommended `Authorization: Bearer <token>`, but `v0.8.3` still accepted `?token=` and included first-party flows that generated and consumed URLs containing the token. This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Credential exposure via URL query parameter
Action: Apply patch
AI Analysis

Impact

PinchTab versions 0.7.8 through 0.8.3 accepted an API bearer token supplied in a URL query string named token, which meant that the token was embedded in the exact request URI; because many systems record full request URLs in logs, browser history, shell history, clipboard history, or tracing systems, the token could be inadvertently exposed to anyone who could read those records. This flaw is an unsafe credential transport pattern (CWE-598) and results in a loss of confidentiality of the credential without directly granting authentication bypass or remote code execution. The exposure depends on whether a bearer token is configured and a client actually uses the query‑parameter form, and it is limited to deployments that adhere to the example flows that generate URLs containing the token.

Affected Systems

All installations of PinchTab from version 0.7.8 through 0.8.3 that have a bearer token configured and have clients that send the token via the token query parameter are affected; this includes deployments that use the provided examples or helper scripts that generate URLs with the token.

Risk and Exploitability

The CVSS score of 4.3 denotes moderate severity; exploitation requires access to logs or history that contain the full request URL, which may occur via reverse‑proxy access logs, browser history, or other tracing systems that capture full URLs. Because the token can be read from these logs, an attacker could later use it to authenticate to the PinchTab API and issue arbitrary commands to the controlled Chrome instance. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation, but any environment that logs URLs or stores request history remains at risk until it is remediated. The likely attack vector is inferred from the description to be the compromise or reading of logs or user history that hold the token.

Generated by OpenCVE AI on March 26, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PinchTab to version 0.8.4 or later, which removes query‑string token authentication and requires safer header‑based authentication flows.
  • Configure the application to reject token authentication via query parameters and enforce use of the Authorization header or session‑based methods.
  • Locate and delete any request logs, browser history, shell history, or clipboard entries that may contain exposed tokens.
  • Monitor API usage logs for anomalous activity that could indicate token reuse.

Generated by OpenCVE AI on March 26, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mrqc-3276-74f8 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Pinchtab
Pinchtab pinchtab
Vendors & Products Pinchtab
Pinchtab pinchtab

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems that capture full URLs. This issue is an unsafe credential transport pattern rather than a direct authentication bypass. It only affects deployments where a token is configured and a client actually uses the query-parameter form. PinchTab's security guidance already recommended `Authorization: Bearer <token>`, but `v0.8.3` still accepted `?token=` and included first-party flows that generated and consumed URLs containing the token. This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.
Title PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
Weaknesses CWE-598
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Pinchtab Pinchtab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:40:27.026Z

Reserved: 2026-03-23T14:24:11.616Z

Link: CVE-2026-33620

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:06.410

Modified: 2026-03-26T21:17:06.410

Link: CVE-2026-33620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:28Z

Weaknesses