CVE-2026-53766 — MEDIUM (6.1)

Q: How severe is CVE-2026-53766?

CVE-2026-53766 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-53766?

Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome-Devtools-Mcp.

Vulnerability Description

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Google	Chrome-Devtools-Mcp	>= 0.24.0, < 1.1.0

Related Weaknesses (CWE)

CWE-59 CWE-22

References

https://github.com/ChromeDevTools/chrome-devtools-mcp/security/advisories/GHSA-8ExploitThird Party Advisory
https://github.com/ChromeDevTools/chrome-devtools-mcp/security/advisories/GHSA-8ExploitThird Party Advisory

FAQ

What is CVE-2026-53766?

CVE-2026-53766 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checki...

How severe is CVE-2026-53766?

CVE-2026-53766 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-53766?

Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome-Devtools-Mcp.