CVE-2026-11326
MEDIUMOpenAI Atlas < 1.2025.288.15 - Improper Access Control
Title source: ruleDescription
OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.
References (1)
Core 1
Core References
Technical Description technical-description
Pwning OpenAI Atlas Through Exposed Browser Internals
https://www.hacktron.ai/blog/hacking-openai-atlas-browser
Scores
CVSS v4
6.0
EPSS
0.0021
EPSS Percentile
11.6%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:L/U:Green
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
OpenAI/OpenAI Atlas
< 1.2025.288.15
Published
Jun 05, 2026
Tracked Since
Jun 05, 2026