CVE-2026-49144
Deferred Deferred - Pending Action
Path Traversal in BrowserStack Runner

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: VulnCheck

Description
BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-49144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
browserstack runner 0.9.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BrowserStack Runner versions up to 0.9.5. It is a path traversal flaw in the _default HTTP handler within the lib/server.js file. This flaw allows unauthenticated attackers who are network-adjacent to exploit the HTTP server, which listens on all interfaces, to traverse directories outside the intended project root. As a result, attackers can read arbitrary files on the system.

Impact Analysis

The impact of this vulnerability is that an attacker can read sensitive files on the affected system without any authentication. This could lead to exposure of confidential information, configuration files, or other sensitive data that resides outside the project root directory.

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files, including potentially sensitive files, by exploiting a path traversal flaw in BrowserStack Runner. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the ability to access sensitive files without authentication undermines confidentiality requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Detection Guidance

This vulnerability can be detected by checking if the BrowserStack Runner HTTP server is running and bound to all network interfaces (0.0.0.0) without authentication, which allows unauthenticated access.

You can attempt to detect exploitation by sending HTTP requests that try to access sensitive files via path traversal sequences in the URL, such as requesting paths like '/../etc/passwd' or '/../browserstack.json'.

Example commands to test for this vulnerability include using curl or wget to request sensitive files through the HTTP server:

  • curl http://<target-ip>:<port>/../etc/passwd
  • curl http://<target-ip>:<port>/../browserstack.json
  • wget http://<target-ip>:<port>/../etc/passwd -O -

Additionally, you can scan your network for hosts running the BrowserStack Runner HTTP server on all interfaces and check for unauthenticated access.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict the HTTP server to bind only to localhost (127.0.0.1) instead of all interfaces (0.0.0.0) to prevent network-adjacent attackers from accessing it.
  • Add authentication to the _default HTTP handler to prevent unauthenticated access.
  • Validate and sanitize all user-controlled input paths to ensure they do not traverse outside the intended project root directory.

Since no fixed version range has been defined yet, these configuration and code changes are critical to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart