Cross-Site Scripting Vulnerability in OpenAI Atlas with Browser API Exposure
CVE-2026-11326

6MEDIUM

Key Information:

Vendor

Openai

Vendor
CVE Published:
5 June 2026

What is CVE-2026-11326?

A cross-site scripting vulnerability has been identified in OpenAI Atlas versions prior to 1.2025.288.15. This flaw allows malicious web content hosted on forum.openai.com to exploit exposed privileged browser APIs. Attackers can potentially access sensitive browser functionality, such as browser history and tab management, by leveraging this vulnerability. Upgrading to version 1.2025.288.15 or later mitigates the risk by restricting access to these APIs solely for *.chatgpt.com domains.

Affected Version(s)

OpenAI Atlas 0 < 1.2025.288.15

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

s1r1us and sudi of hacktron.ai
.