Executive Summary

CVE-2026-12823 is a security flaw in Browserbase Skills' Autobrowse Trace Artifact Handler where trace artifacts containing sensitive data such as API tokens, cookies, passwords, URLs, and screenshots are created with insecure default file permissions.

Because these files are written with permissive default permissions (e.g., 0777 for directories or 0666 for files), other local users or processes on the same system can read these sensitive files if the environment uses permissive umask settings or shared workspaces.

The vulnerability requires local access to exploit and results in local information disclosure by allowing unauthorized users to access sensitive trace data.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Browserbase Skills' Autobrowse Trace Artifact handler results in insecure file permissions that can expose sensitive data such as API tokens, cookies, passwords, URLs, and screenshots to other local users or processes in shared environments.

This local information disclosure risk could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information from unauthorized access.

Exposing session data and private account information due to permissive default permissions may violate confidentiality and data protection requirements mandated by these regulations.

Mitigations such as setting restrictive file and directory permissions, redacting sensitive data before logging, and avoiding shared or public trace directories are recommended to reduce the risk and help maintain compliance.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as session data, API tokens, cookies, passwords, URLs, and screenshots to unauthorized local users or processes.

In shared or multi-user environments, this means that attackers with local access could read these trace artifacts and extract private account information or other confidential data.

The impact is primarily local information disclosure, which could facilitate further attacks or unauthorized access to user accounts or services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the file and directory permissions of the trace artifacts generated by Browserbase Skills' Autobrowse feature. These artifacts include files such as trace.json, messages.json, summary.md, and screenshots.

You can use commands to inspect the permissions of these files and directories to see if they are overly permissive (e.g., directories with 0777 permissions or files with 0666 permissions), which indicates vulnerability.

• Use 'ls -l' or 'stat' commands on the trace artifact files and directories to check their permissions.
• Attempt to access these files as a less privileged user (e.g., 'nobody') to verify if sensitive data can be read.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include setting restrictive permissions on the trace artifact directories and files to prevent unauthorized local access.

• Set directory permissions to 0700.
• Set file permissions to 0600.
• Avoid unsafe umask defaults that allow permissive file creation.
• Run Autobrowse in a private workspace with restrictive permissions (e.g., umask 077).
• Redact sensitive fields such as API tokens, cookies, passwords, and URLs before logging or storing trace artifacts.
• Avoid sharing trace directories publicly or in shared environments.

Document the sensitivity of trace directories and ensure proper access controls are in place.

Useful 0 Not Useful 0