{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-11326", "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "state": "PUBLISHED", "assignerShortName": "OAI", "dateReserved": "2026-06-05T00:07:13.696Z", "datePublished": "2026-06-05T00:12:32.077Z", "dateUpdated": "2026-06-05T18:32:50.603Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "shortName": "OAI", "dateUpdated": "2026-06-05T17:59:00.942Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "type": "CWE"}]}], "affected": [{"vendor": "OpenAI", "product": "OpenAI Atlas", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2025.288.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L/U:Green", "baseScore": 6, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to OpenAI Atlas 1.2025.288.15 or later."}], "credits": [{"lang": "en", "value": "s1r1us and sudi of hacktron.ai", "type": "finder"}], "references": [{"url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser", "name": "Pwning OpenAI Atlas Through Exposed Browser Internals", "tags": ["technical-description"]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-05T18:32:37.907593Z", "id": "CVE-2026-11326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-05T18:32:50.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-11326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-05T18:32:37.907593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-05T18:32:46.951Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "s1r1us and sudi of hacktron.ai"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L/U:Green"}}], "affected": [{"vendor": "OpenAI", "product": "OpenAI Atlas", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2025.288.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to OpenAI Atlas 1.2025.288.15 or later."}], "references": [{"url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser", "name": "Pwning OpenAI Atlas Through Exposed Browser Internals", "tags": ["technical-description"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "shortName": "OAI", "dateUpdated": "2026-06-05T17:59:00.942Z"}}}, "cveMetadata": {"cveId": "CVE-2026-11326", "state": "PUBLISHED", "dateUpdated": "2026-06-05T18:32:50.603Z", "dateReserved": "2026-06-05T00:07:13.696Z", "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "datePublished": "2026-06-05T00:12:32.077Z", "assignerShortName": "OAI"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."}], "id": "CVE-2026-11326", "lastModified": "2026-06-05T18:17:04.343", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "type": "Secondary"}]}, "published": "2026-06-05T02:17:11.180", "references": [{"source": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser"}], "sourceIdentifier": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7", "type": "Secondary"}]}

{}