Path Traversal Vulnerability in BrowserStack Runner by BrowserStack
CVE-2026-49144

7.1HIGH

Key Information:

Vendor: Browserstack
Status: Browserstack-runner
Vendor: CVE Published:; 2 June 2026

🔔 Create Browserstack Vulnerability Alert

What is CVE-2026-49144?

BrowserStack Runner versions up to 0.9.5 are vulnerable to a path traversal attack due to an issue in the default HTTP handler located in lib/server.js. This vulnerability allows unauthenticated attackers adjacent to the network to exploit the unauthenticated HTTP server, which is bound to all interfaces. By doing so, attackers can traverse outside the project's root directory, potentially gaining access to sensitive files that should not be exposed, thereby posing a significant security risk.

Affected Version(s)

browserstack-runner 0 <= 0.9.5

References

https://github.com/browserstack/browserstack-runner/secur...

vendor-advisory

https://www.vulncheck.com/advisories/browserstack-runner-...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 27, 2026

Credit

Christ Bouchuen

CVE-2026-49144 Data

JSON