CVE-2026-59804
Received Received - Intake

Midscene Bridge Server Authentication Bypass and CORS Misconfiguration

Vulnerability report for CVE-2026-59804, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, which performs no Origin header validation and requires no authentication token. Attackers can connect from any web page visited by the victim to seize the single-client slot, intercept and inject automation commands, exfiltrate command-payload data, or unconditionally terminate the server by supplying the MIDSCENE_BRIDGE_SIGNAL_KILL query parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
midscene bridge_server to 1.10.3 (inc)
web-infra-dev midscene_bridge_server to 1.10.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59804 is a security vulnerability in the Midscene Bridge Server (up to version 1.10.3) that involves missing authentication and improper Cross-Origin Resource Sharing (CORS) configuration in its WebSocket implementation.

This flaw allows unauthenticated remote attackers to hijack active bridge sessions by opening cross-origin WebSocket connections to the local Socket.IO server, which does not validate the Origin header and requires no authentication token.

Attackers can connect from any webpage visited by the victim to seize the single-client slot, intercept and inject automation commands, exfiltrate command-payload data, or unconditionally terminate the server by sending a specific kill signal query parameter.

Impact Analysis

This vulnerability can have several serious impacts:

  • Attackers can hijack active bridge sessions, gaining control over automation commands such as navigation, clicks, or keyboard inputs.
  • Sensitive data from automation payloads can be intercepted and exfiltrated by attackers.
  • Attackers can inject malicious commands causing incorrect behavior or data leakage.
  • An unauthenticated denial-of-service (DoS) attack is possible by sending a kill signal query parameter, which immediately shuts down the bridge server, aborting any running automation and requiring a restart.
Detection Guidance

This vulnerability can be detected by monitoring WebSocket connections to the Midscene Bridge Server, which runs on port 3766. Since the server does not validate the Origin header and requires no authentication, any unexpected WebSocket connections from web pages (cross-origin) could indicate exploitation attempts.

To detect potential exploitation, you can check for active WebSocket connections to port 3766 and inspect if there are connections originating from untrusted or unexpected sources.

  • Use netstat or ss to list active connections on port 3766: `netstat -anp | grep 3766` or `ss -anp | grep 3766`.
  • Use a network packet capture tool like tcpdump or Wireshark to monitor WebSocket handshake traffic on port 3766 and check the Origin headers in the WebSocket upgrade requests.
  • Example tcpdump command: `tcpdump -i any -A port 3766` and look for WebSocket upgrade requests and their Origin headers.
  • Check server logs for any WebSocket connection attempts that do not come from trusted origins such as local Node.js processes or the Midscene Chrome extension.
Mitigation Strategies

Immediate mitigation steps include updating the Midscene Bridge Server to a version that includes the fix implemented in commit 86f4118, which enforces Origin-based access control on WebSocket connections.

The fix blocks connections from untrusted origins by validating the Origin header on every Socket.IO connection, allowing only local Node.js processes (no Origin header) and the Midscene Chrome extension (chrome-extension://) to connect.

Until the update can be applied, consider restricting access to port 3766 to trusted hosts only, for example by firewall rules or network segmentation, to prevent unauthorized cross-origin WebSocket connections.

Additionally, monitor for and block any requests containing the `MIDSCENE_BRIDGE_SIGNAL_KILL` query parameter from untrusted sources to prevent denial-of-service attacks.

Review and apply the security patches described in the official fix to ensure the server rejects unauthorized kill signals and enforces proper origin validation.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to hijack active bridge sessions, intercept and inject automation commands, and exfiltrate command-payload data. This can lead to unauthorized access and potential leakage of sensitive information.

Such unauthorized access and data exfiltration could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Additionally, the ability to unconditionally terminate the server could impact availability requirements under these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart