SCA: security update for github.com/pinchtab/pinchtab (GHSA-j65m-hv65-r264)

medium Tenable Self-Hosted Container Security Plugin ID 439173

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab
`v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints.
In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddleware` existed in
`internal/handlers/middleware.go` but was not inserted into the production HTTP handler chain, so requests
were not subject to the intended per-IP throttle. In the same pre-`v0.8.4` range, the original limiter
also keyed clients using `X-Forwarded-For`, which would have allowed client-controlled header spoofing if
the middleware had been enabled. `v0.8.4` addressed those two issues by wiring the limiter into the live
handler chain and switching the key to the immediate peer IP, but it still exempted `/health` and
`/metrics` from rate limiting even though `/health` remained an auth-checkable endpoint when a token was
configured. This issue weakens defense in depth for deployments where an attacker can reach the API,
especially if a weak human-chosen token is used. It is not a direct authentication bypass or token
disclosure issue by itself. PinchTab is documented as local-first by default and uses `127.0.0.1` plus a
generated random token in the recommended setup. PinchTab's default deployment model is a local-first,
user-controlled environment between the user and their agents; wider exposure is an intentional operator
choice. This lowers practical risk in the default configuration, even though it does not by itself change
the intrinsic base characteristics of the bug. This was fully addressed in `v0.8.5` by applying
`RateLimitMiddleware` in the production handler chain, deriving the client address from the immediate peer
IP instead of trusting forwarded headers by default, and removing the `/health` and `/metrics` exemption
so auth-checkable endpoints are throttled as well. (CVE-2026-33621)

Solution

Update the github.com/pinchtab/pinchtab library and its related packages to version 0.8.5 or later.

See Also

https://github.com/advisories/GHSA-j65m-hv65-r264

Plugin Details

Severity: Medium

ID: 439173

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/25/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-33621

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/24/2026

Vulnerability Publication Date: 3/24/2026

Reference Information

CVE: CVE-2026-33621