Executive Summary

CVE-2026-33622 is a security policy bypass vulnerability in PinchTab versions v0.8.3 through v0.8.5 that allows arbitrary JavaScript execution via the POST /wait and POST /tabs/{id}/wait endpoints when using the "fn" mode, even if the security.allowEvaluate setting is disabled.

The vulnerability arises because, unlike the POST /evaluate endpoint which correctly enforces the security.allowEvaluate guard, the POST /wait endpoint accepts a user-controlled JavaScript expression (fn) and directly embeds it into executable JavaScript evaluated in the browser context without enforcing the same security policy.

This means that an authenticated user with API access and a valid server token can execute arbitrary JavaScript in a browser tab context even when JavaScript evaluation is explicitly disabled by the operator.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated API user to bypass the security restriction that disables JavaScript evaluation, enabling arbitrary JavaScript execution within browser tabs controlled by PinchTab.

• Bypassing the explicit security.allowEvaluate control.
• Executing arbitrary JavaScript code in browser tabs.
• Reading or modifying the state of web pages loaded in the browser tabs.
• Acting within authenticated sessions, potentially leading to unauthorized actions.

However, exploitation requires authenticated API access with a valid server token, so the risk depends on the security of API access controls and exposure of sensitive browser tab contexts.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying if the PinchTab server is running a vulnerable version (v0.8.3 through v0.8.5) and if the POST /wait or POST /tabs/{id}/wait endpoints accept and execute JavaScript in fn mode despite security.allowEvaluate being disabled.

A practical detection method is to attempt to execute a harmless JavaScript expression via the POST /wait endpoint using fn mode with authenticated API access and observe if the code executes in the browser tab context.

Example commands to test this (assuming you have a valid server token and access):

• 1. Confirm that POST /evaluate is blocked by policy (should return 403 if security.allowEvaluate is disabled).
• 2. Open a new tab via POST /navigate.
• 3. Send a POST request to /wait with fn mode containing a JavaScript expression, for example: {"mode":"fn", "fn":"window._poc_executed=true"}.
• 4. Verify the side effect by querying the same property (e.g., window._poc_executed) to confirm code execution.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting authenticated API access to trusted users only, as exploitation requires valid server tokens.

Additionally, monitor and limit access to the POST /wait and POST /tabs/{id}/wait endpoints, especially when using fn mode.

If possible, disable or restrict the use of fn mode in /wait endpoints until a patched version is available.

Apply the patch once it is released, which enforces the same security.allowEvaluate policy check on fn mode in /wait as is done on /evaluate, preventing arbitrary JavaScript execution.

In the meantime, consider adding monitoring or alerting for suspicious API calls that use fn mode in /wait endpoints.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to execute arbitrary JavaScript in browser tabs, potentially enabling unauthorized reading or modification of page state and actions within authenticated sessions.

This security policy bypass could lead to exposure or manipulation of sensitive data handled by the affected system, which may impact compliance with standards and regulations such as GDPR or HIPAA that require strict controls over data confidentiality and integrity.

However, exploitation requires authenticated API access with a valid server token, so the risk depends on the strength of access controls and the exposure of the API.

Useful 0 Not Useful 0