Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability
CVE-2026-11326 (GCVE-0-2026-11326)
Vulnerability from cvelistv5 – Published: 2026-06-05 00:12 – Updated: 2026-06-05 18:32
VLAI
Summary
OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hacktron.ai/blog/hacking-openai-atlas… | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenAI | OpenAI Atlas |
Affected:
0 , < 1.2025.288.15
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T18:32:37.907593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:32:50.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenAI Atlas",
"vendor": "OpenAI",
"versions": [
{
"lessThan": "1.2025.288.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "s1r1us and sudi of hacktron.ai"
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L/U:Green",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:59:00.942Z",
"orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
"shortName": "OAI"
},
"references": [
{
"name": "Pwning OpenAI Atlas Through Exposed Browser Internals",
"tags": [
"technical-description"
],
"url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to OpenAI Atlas 1.2025.288.15 or later."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
"assignerShortName": "OAI",
"cveId": "CVE-2026-11326",
"datePublished": "2026-06-05T00:12:32.077Z",
"dateReserved": "2026-06-05T00:07:13.696Z",
"dateUpdated": "2026-06-05T18:32:50.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}