Chrome SSRF (CVE-2026-30834)

Vendor-confirmed - CVE-2026-30834 is a high SSRF in PinchTab HTTP server before 0.7.7 that forces the server to send requests to attacker-chosen URLs, exfiltrating internal data and probing networks. Upgrade immediately.

Overview

A significant security vulnerability has been identified in the PinchTab HTTP server, a tool that allows AI agents to control a Chrome browser. This flaw, tracked as CVE-2026-30834, could allow an attacker to misuse the server to access sensitive internal systems and data. Users are urged to update their software immediately.

Vulnerability Details

In simple terms, this is a Server-Side Request Forgery (SSRF) vulnerability. PinchTab versions before 0.7.7 contain a specific feature, the /download endpoint, that is not properly secured. An attacker with access to the PinchTab API can manipulate this feature. Instead of only downloading intended files, they can force the PinchTab server itself to send requests to any URL the attacker specifies.

This means the attacker can point the server at:

• Other internal services on your network (like databases, admin panels, or file servers).
• Local system files on the machine running PinchTab. The server will then retrieve the full content from these locations and send it back to the attacker, leading to data exfiltration.

Potential Impact

The impact of this vulnerability is high. Successful exploitation could lead to:

• Data Breach: Sensitive information from internal applications and files can be stolen.
• Network Mapping: Attackers can probe your internal network to discover other vulnerable systems.
• Further Attacks: Accessed data or systems could be used as a foothold for more severe attacks, such as ransomware deployment.

For more on the consequences of data exposure, recent incident analyses are available in our breach reports.

Remediation and Mitigation

The primary and most critical action is to upgrade PinchTab to version 0.7.7 or later. This update contains the patch that fixes the SSRF flaw in the /download endpoint.

Immediate Actions:

1. Update: Identify all instances of PinchTab in your environment and upgrade them to version 0.7.7+ without delay.
2. Access Control: Review and restrict access to the PinchTab API. Ensure only authorized, trusted systems and users can communicate with it, following the principle of least privilege.
3. Network Segmentation: As a general security best practice, consider running tools like PinchTab in a segmented network zone to limit their ability to reach critical internal assets, even if a vulnerability is exploited.

Stay informed about emerging threats and patches by following our security news. Prompt patching remains the most effective defense against known vulnerabilities.