CVE-2026-33623
PowerShell Command Injection in PinchTab v0.8.4 Windows Cleanup
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pinchtab | pinchtab | to 0.8.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33623 is a moderate-severity command injection vulnerability in PinchTab version 0.8.4 on Windows. It occurs in the orphaned Chrome cleanup routine where a PowerShell command string is constructed using a profile name without properly neutralizing PowerShell metacharacters.
An attacker with authenticated, administrative-equivalent API access can launch an instance with a specially crafted profile name containing malicious PowerShell commands. When the instance is stopped, the cleanup routine executes these commands on the Windows host with the privileges of the PinchTab OS user.
This vulnerability requires high privileges and is not an unauthenticated remote code execution. It does not bypass OS user privilege boundaries but allows arbitrary command execution within the PinchTab user's context.
How can this vulnerability impact me? :
The vulnerability allows an attacker with administrative API access to execute arbitrary PowerShell commands on the Windows host as the PinchTab user. This can lead to full compromise of data and processes accessible to that user.
Potential impacts include unauthorized data access, persistence on the host, and execution of follow-on malicious actions.
In environments where instances automatically restart, the injected payload can execute repeatedly, causing denial-of-service through resource exhaustion, such as spawning multiple processes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for instances where a PinchTab instance is launched with a crafted profile name containing PowerShell metacharacters, followed by stopping the instance to trigger the cleanup routine.
Specifically, you can look for unusual PowerShell command executions triggered by the cleanup routine, such as commands containing injected payloads like "poc'; Start-Process calc; $x='".
Since the vulnerability involves the Windows cleanup path executing PowerShell commands, you can audit PowerShell command history or logs for suspicious commands that include profile names with metacharacters.
Additionally, monitoring API usage for calls to `POST /instances/launch` with unusual profile names and `POST /instances/{id}/stop` to trigger cleanup can help detect exploitation attempts.
No explicit detection commands are provided, but general PowerShell command auditing and API request logging focusing on instance lifecycle endpoints are recommended.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading PinchTab to version 0.8.5 or later, where the vulnerability has been patched.
- Avoid running PinchTab on publicly accessible networks; restrict it to private or closed networks.
- Restrict API access to trusted, authenticated users with administrative privileges only.
- Enforce strict validation and allowlisting on profile names to block PowerShell metacharacters and other potentially dangerous input.
- Apply security configuration best practices such as disabling high-risk endpoints unless explicitly needed and ensuring the server bind address is set to loopback interfaces only.
- Review and apply the security posture improvements and configuration hardening described in the updated documentation and security advisories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33623 allows an authenticated attacker with administrative-equivalent API access to execute arbitrary PowerShell commands on the Windows host as the PinchTab user. This can lead to full compromise of data and processes accessible to that user, including potential unauthorized access, data manipulation, and persistence on the host.
Such unauthorized command execution and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access. The vulnerability increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns.
However, the vulnerability requires high-privilege authenticated access and does not bypass OS user privilege boundaries, meaning it is not a remote unauthenticated risk but rather a risk from compromised or malicious privileged users or processes.
Mitigations and security posture improvements, such as restricting API access, enforcing strict profile name validation, and running PinchTab only on private networks, are important to reduce the risk and help maintain compliance.