QSearchQSearch

CVE-2026-11326

OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins

Published: 2026-06-05 · Last updated: 2026-06-05

Severity and scoring

CWE
CWE-284

Description

OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-47261 Wasmtime is a runtime for WebAssembly (7.5 HIGH)
  • CVE-2026-50892 Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attacke... (6.5 MEDIUM)
  • CVE-2026-50891 Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a cra... (8.1 HIGH)
  • CVE-2026-50886 Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources vi... (9.1 CRITICAL)
  • CVE-2026-50885 Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive... (7.5 HIGH)