Firefox/Thunderbird cookie bypass (CVE-2026-6768)

Patch now - CVE-2026-6768 is a critical cookie bypass in Firefox and Thunderbird before version 150 that lets attackers steal session tokens and impersonate authenticated users remotely with no user interaction required. Update immediately to block unauthorized cookie access and session hijacking.

Overview

CVE-2026-6768 is a critical vulnerability in the Networking: Cookies component of Mozilla Firefox and Thunderbird. This flaw allows an attacker to bypass security mitigations that normally prevent unauthorized access to browser cookies. Because no user interaction or authentication is required, the vulnerability can be exploited remotely over the network. Mozilla addressed the issue in Firefox 150 and Thunderbird 150.

Technical Details

The vulnerability resides in how Firefox and Thunderbird enforce cookie security policies, particularly SameSite protections and HttpOnly flags. An attacker can craft a malicious request that bypasses these controls, enabling cookie theft or session manipulation. The CVSS score of 9.8 reflects the low attack complexity, network-based attack vector, and absence of required privileges or user interaction.

Impact

Successful exploitation allows an attacker to:

• Read cookies that should be inaccessible due to HttpOnly or SameSite restrictions
• Steal session tokens for web applications
• Perform cross-site request forgery (CSRF) attacks
• Impersonate authenticated users on affected websites

This affects all Firefox and Thunderbird installations prior to version 150, including enterprise deployments using these applications for web access or email.

Affected Versions

• Mozilla Firefox: all versions before 150
• Mozilla Thunderbird: all versions before 150

Remediation

Mozilla has released patched versions that fix this vulnerability. Users and administrators should update immediately:

• Update Firefox to version 150 or later
• Update Thunderbird to version 150 or later

Mozilla’s security advisory provides the official patch details. Organizations using automated update systems should verify that these updates are applied to all endpoints.

Mitigation

While updating is the primary fix, administrators can reduce risk by:

• Restricting browser usage to approved sites only
• Using network segmentation to limit exposure from untrusted networks
• Monitoring for suspicious session activity in web applications

However, these are temporary measures. The only complete mitigation is applying the patch.

Security Insight

This cookie bypass vulnerability reflects a persistent challenge for browser vendors: security mechanisms like SameSite and HttpOnly were designed to prevent specific attack classes, but their implementation must be hardened against clever bypasses. Mozilla’s quick fix suggests the issue was identified through internal testing or responsible disclosure, which is a positive sign for their security processes. However, the critical severity and remote exploitation potential mean organizations should treat this as a high-priority patch alongside other browser updates.

For more information, see security news for the latest advisories, or review breach reports if cookie theft leads to session hijacking incidents.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs