CVE-2026-53765

Source
https://cve.org/CVERecord?id=CVE-2026-53765
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53765.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53765
Aliases
Published
2026-06-24T21:30:42.954Z
Modified
2026-07-08T08:12:35.788538294Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
chrome-devtools-mcp: daemon.pid write follows symlinks in /tmp fallback runtime directory
Details

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.20.0 until 1.1.0, The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync() to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDGRUNTIMEDIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-<uid>/daemon.pid. Because the write does not use O_NOFOLLOW, a local low-privilege user on the same POSIX host can pre-create /tmp/chrome-devtools-mcp-<victim_uid>/daemon.pid as a symlink to a file writable by the victim. When the victim later starts daemon mode, fs.writeFileSync() follows the symlink and truncates the target file to the daemon PID string. This vulnerability is fixed in 1.1.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53765.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-59"
    ]
}
References

Affected packages

Git / github.com/chromedevtools/chrome-devtools-mcp

Affected ranges

Type
GIT
Repo
https://github.com/chromedevtools/chrome-devtools-mcp
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:google:chrome-devtools-mcp:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0.20.0"
        },
        {
            "fixed": "1.1.0"
        }
    ]
}

Affected versions

chrome-devtools-mcp-v0.*
chrome-devtools-mcp-v0.20.0
chrome-devtools-mcp-v0.20.1
chrome-devtools-mcp-v0.20.2
chrome-devtools-mcp-v0.20.3
chrome-devtools-mcp-v0.21.0
chrome-devtools-mcp-v0.22.0
chrome-devtools-mcp-v0.23.0
chrome-devtools-mcp-v0.24.0
chrome-devtools-mcp-v0.25.0
chrome-devtools-mcp-v0.26.0
chrome-devtools-mcp-v1.*
chrome-devtools-mcp-v1.0.0
chrome-devtools-mcp-v1.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53765.json"