CVE-2026-49144: CVE-2026-49144: Unauthenticated Arbitrary File Read via Path Traversal in BrowserStack Runner
CVSS Score: 7.1 Published: 2026-06-03 Full Report: https://cvereports.com/reports/CVE-2026-49144
An unauthenticated path traversal vulnerability in BrowserStack Runner versions up to and including 0.9.5 allows remote or adjacent network attackers to read arbitrary files from the host system. The flaw exists within the local HTTP test server's fallback and patch file handlers, which fail to sanitize path inputs before passing them to file resolution APIs.
BrowserStack Runner through 0.9.5 permits unauthenticated remote file disclosure due to lack of path sanitization in its internal HTTP server handlers.
- CWE ID: CWE-22
- Attack Vector: Adjacent Network (AV:A)
- CVSS v4 Score: 7.1 (High)
- EPSS Score: 0.00024
- Impact: Arbitrary File Disclosure
- Exploit Status: PoC
- KEV Status: Not Listed
- BrowserStack Runner host systems running versions <= 0.9.5
- BrowserStack Runner: <= 0.9.5 (Fixed in:
None)
- Implement server-side path resolution sanitization ensuring requested files remain within intended directories.
- Bind the local HTTP test server strictly to the loopback interface (127.0.0.1) instead of 0.0.0.0.
Remediation Steps:
- Inspect the local test runner setup to check if 'browserstack-runner' is being used.
- Integrate isSafePath validation code into lib/server.js as detailed in the technical patch section.
- Configure local firewalls to deny external inbound connections to test server ports (default 3000).
- NVD - CVE-2026-49144 Detail
- GitHub Security Advisory GHSA-8rpw-6cqh-2v9h
- VulnCheck Security Advisory
Generated by CVEReports - Automated Vulnerability Intelligence