Description
Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.
Published: 2026-06-24
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome DevTools for agents (chrome-devtools-mcp) validates workspace roots by checking if the resolved file path textually falls under a configured root, but the resolve function does not canonicalize symbolic links. This oversight allows a symlink inside a permitted root to point to any file outside that root and pass validation. As a result, operations that read from or write to the file path can access or modify files beyond the workspace boundary, exposing confidential data or allowing integrity compromise. The vulnerability can be leveraged for both read and write directions, potentially enabling arbitrary file disclosure or overwrite within the host system.

Affected Systems

The flaw exists in Chrome DevTools for agents versions from 0.24.0 up to, but not including, 1.1.0. Version 1.1.0 and later contain a fix that correctly canonicalizes paths before enforcing root restrictions.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, so the probability of exploitation cannot be quantified, but the flaw is not listed in the CISA KEV catalog. The likely attack vector requires an attacker who can run the MCP client or otherwise control the workspace configuration; by creating a malicious symlink at a permitted location, the attacker can read or write arbitrary files. Given the moderate CVSS, the risk is significant for systems that expose the MCP interface to untrusted parties or allow privileged agents to be compromised.

Generated by OpenCVE AI on June 24, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade chrome-devtools-mcp to version 1.1.0 or later, which resolves the path canonicalization issue.
  • Ensure that workspace roots are correctly declared and that no symbolic links exist within those roots until the latest update is applied.
  • If an immediate upgrade is not possible, remove or isolate any symlinks inside configured roots as a temporary mitigation.

Generated by OpenCVE AI on June 24, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.
Title chrome-devtools-mcp: validatePath() does not canonicalize symlinks before enforcing roots
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:29:29.003Z

Reserved: 2026-06-10T17:48:40.547Z

Link: CVE-2026-53766

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')