Authenticated Cross-Origin Request Vulnerability in Lightpanda Headless Browser
CVE-2026-52843
9.3CRITICAL
What is CVE-2026-52843?
Lightpanda, a headless browser tailored for AI and automation, has a vulnerability where it improperly handles session cookies for every HTTP request. This occurs in versions prior to 0.2.9, where both fetch() and XMLHttpRequest methods automatically attach session cookies without considering credential settings like 'omit', 'same-origin', and 'include'. This misconfiguration enables an attacker-controlled origin to execute authenticated cross-origin requests, potentially allowing unauthorized access to sensitive data. The issue has been resolved in version 0.2.9.
Affected Version(s)
browser < 0.2.9
