CVE-2026-53766
Analyzed Analyzed - Analysis Complete

Path Traversal in Chrome DevTools for Agents

Vulnerability report for CVE-2026-53766, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
google chrome-devtools-mcp From 0.24.0 (inc) to 1.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Chrome DevTools for agents (chrome-devtools-mcp) versions from 0.24.0 until 1.1.0. The issue is with the McpContext.validatePath() function, which tries to enforce workspace root boundaries by checking if a file path falls under configured root paths using path.resolve(filePath). However, path.resolve() does not resolve symbolic links (symlinks) to their canonical paths.

Because of this, a symlink inside a configured workspace root can point to a file outside that root and still pass validation. This allows an attacker to bypass the workspace boundary restrictions. As a result, file read and write operations can access or modify files outside the intended workspace root by following these symlinks.

Specifically, writing tools can overwrite files outside the root through an in-root symlink, and reading tools can read files outside the root and send them to the selected web page. This vulnerability was fixed in version 1.1.0.

Compliance Impact

This vulnerability allows unauthorized reading and writing of files outside the intended workspace boundaries by bypassing path validation through symbolic links.

Such unauthorized access can lead to confidentiality breaches, for example, exposing sensitive files like credentials, and integrity violations by overwriting files.

These impacts could potentially violate data protection regulations and standards such as GDPR and HIPAA, which require strict controls on access to sensitive data and maintaining data integrity.

Detection Guidance

This vulnerability involves symbolic links within configured workspace roots that point outside those roots, bypassing path validation. To detect potential exploitation or presence of this vulnerability, you should look for symlinks inside your workspace directories that resolve to locations outside the workspace.

You can use commands to find such symlinks by comparing the resolved target paths of symlinks against your workspace root directories.

  • Use the 'find' command to locate symlinks inside your workspace root, for example: find /path/to/workspace -type l
  • For each symlink found, use 'readlink -f' or 'realpath' to get the canonical path and check if it points outside the workspace root. For example: realpath /path/to/workspace/symlink
  • You can script this check to compare resolved paths against the workspace root prefix to identify symlinks that bypass the root boundary.

Monitoring file read/write operations through these symlinks or unusual access to files outside the workspace root can also indicate exploitation attempts.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access and modification of files outside the intended workspace boundaries in Chrome DevTools for agents.

  • An attacker or malicious tool could overwrite files outside the workspace root, potentially damaging or altering important files.
  • Sensitive files outside the workspace root could be read and exposed to the currently selected web page, leading to information disclosure.
  • This could lead to integrity and availability issues with your files and data, as indicated by the CVSS score impact on integrity and availability.
Mitigation Strategies

To mitigate this vulnerability, upgrade Chrome DevTools for agents (chrome-devtools-mcp) to version 1.1.0 or later, where the issue with workspace-boundary bypass via symlinks has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart