Vulnerability  ·  2026-07-17

Lightpanda Headless Browser — Credentials Attached to Cross-Origin Requests Regardless of credentials Setting

VulnerabilityMedium impactGlobalCVE-2026-52843
Lightpanda ignored standard fetch/XHR credential-scoping directives, sending session cookies on every outbound request regardless of the requested credentials policy.
For an AI agent using Lightpanda to browse the web on a user's behalf, this bug leaks authenticated session cookies to any site the agent visits, turning routine agentic browsing into a credential-exfiltration vector.
Lightpanda's fetch() and XMLHttpRequest implementations unconditionally attached session cookies to every HTTP request, ignoring credentials: omit/same-origin/include and XMLHttpRequest.withCredentials directives, leaking session cookies to third-party origins.
Lightpanda prior to 0.2.9
Upgrade to Lightpanda 0.2.9 or later.
NVD CVE-2026-52843
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →