Executive Summary

CVE-2026-33081 is a blind Server-Side Request Forgery (SSRF) vulnerability in the PinchTab application, specifically affecting the /download endpoint in versions 0.8.2 and earlier. The vulnerability occurs because the function validateDownloadURL() only validates the initial user-supplied URL to block requests to internal or private network addresses. However, subsequent requests initiated by the embedded Chromium browser, such as JavaScript redirects or resource requests, are not validated. This allows an attacker to supply a URL pointing to a malicious page they control, which then causes the embedded browser to make requests to internal network services accessible from the PinchTab host.

Exploitation requires the configuration flag security.allowDownload=true, which is disabled by default, limiting real-world impact. When exploited, the attacker can cause the browser to interact with internal-only services without receiving response data, hence a blind SSRF. This can lead to triggering state-changing endpoints on internal services.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to bypass initial URL validation and leverage the embedded Chromium browser to access internal network services from the PinchTab host. Although the attacker does not receive response content (blind SSRF), they can interact with internal services and potentially trigger state changes.

The impact includes the risk of unauthorized interactions with sensitive internal services or cloud metadata endpoints, which could lead to privilege escalation or information disclosure. The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.8, indicating a network attack vector with low complexity and no required privileges or user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying if the PinchTab application is running a vulnerable version (0.8.2 or below) and if the configuration flag security.allowDownload is enabled (true). Because the vulnerability is a blind SSRF via the /download endpoint, one detection method is to monitor internal services for unexpected requests triggered by the embedded Chromium browser.

A proof-of-concept detection approach includes running a local internal HTTP service on the PinchTab host bound to localhost (127.0.0.1) on a specific port (e.g., 1337) with an endpoint (e.g., /increment) that logs requests. Then, sending a request to the /download endpoint with a URL parameter pointing to an attacker-controlled page that redirects the embedded browser to the internal service. If the internal service logs the request, it confirms the SSRF.

There are no specific commands provided in the resources for direct detection on the network or system, but monitoring logs of internal services for unexpected requests and checking the PinchTab version and configuration are key steps.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade PinchTab to version 0.8.3 or later, where the vulnerability has been patched by enforcing URL validation on all browser-initiated requests within the /download flow.

If upgrading is not immediately possible, ensure that the configuration flag security.allowDownload is set to false (which is the default) to prevent exploitation.

Additionally, monitoring and restricting access to internal network services from the PinchTab host can reduce risk, as the vulnerability allows SSRF to internal-only services.

Useful 0 Not Useful 0