Description
Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Mitigation bypass in cookie handling
Action: Immediate Patch
AI Analysis

Impact

The updated vulnerability description indicates a mitigation bypass in the Networking: Cookies component of Firefox and Thunderbird. This flaw allows certain cookies that normally would be restricted to be accepted or set, potentially undermining cookie policy enforcement. The weakness is categorized as CWE-288 and CWE-807.

Affected Systems

Mozilla Firefox clients running any version prior to 150 and Thunderbird clients running any version prior to 150 are affected. The issue was fixed inFirefox 150, so any releases older than that must be upgraded to eliminate the flaw.

Risk and Exploitability

The CVSS score is 9.8 and the EPSS score is not available, indicating critical severity but unknown exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been exploited publicly. Based on the description, the likely attack vector is through a web page rendered in a vulnerable Firefox or Thunderbird client, which would require a user to visit a malicious site. The risk is high, as the flaw permits cookie manipulation that could impact session integrity, but exploitation would rely on the user’s browser and may not be globally available.

Generated by OpenCVE AI on April 22, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 150 or later, which contains the fix for the cookie mitigation bypass.
  • Upgrade Thunderbird to version 150 or later, which contains the fix for the cookie mitigation bypass.
  • In Firefox’s configuration, enable strict SameSite cookie enforcement by setting "network.cookie.sameSite.level" to the maximum value, reducing the impact of any remaining cookie handling bugs.
  • In Thunderbird’s configuration, enable strict SameSite cookie enforcement by setting "network.cookie.sameSite.level" to the maximum value, reducing the impact of any remaining cookie handling bugs.
  • Audit and update web applications to ensure they set appropriate cookie attributes (SameSite, Secure, HttpOnly) to mitigate potential misuse of cookie data.

Generated by OpenCVE AI on April 22, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150. Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
References

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.
Title Mitigation bypass in the Networking: Cookies component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:02.505Z

Reserved: 2026-04-21T12:41:00.686Z

Link: CVE-2026-6768

cve-icon Vulnrichment

Updated: 2026-04-21T16:32:11.974Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.667

Modified: 2026-04-22T14:58:53.020

Link: CVE-2026-6768

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:41:01Z

Links: CVE-2026-6768 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses