CVE Catalog

CVE-2026-53766

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

0th percentile — higher than 0% of all known CVEs

Summary

Vulnerability in Chrome DevTools MCP (versions 0.24.0 to 1.1.0) allows bypassing workspace root restrictions via symbolic links. The path validation function does not canonicalize symbolic links, enabling read and write access to files outside the allowed area.

Risk Assessment

An attacker can use a symbolic link within a configured workspace root to read sensitive system files or overwrite files outside the allowed area, potentially leading to data leakage or privilege escalation.

Recommendation

Immediately update Chrome DevTools MCP to version 1.1.0 or later. If updating is not possible, avoid using symbolic links in workspace directories.

Original NVD description (English source)

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS