CVE-2026-12304: Same-origin policy bypass in the Networking: Cookies component
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 140.12
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A same-origin policy bypass in the Networking: Cookies component of Mozilla Firefox and Thunderbird allows a remote, unauthenticated attacker to exploit the flaw over the network without any user interaction. Successful exploitation gives the attacker read and write access to cookie data that should be isolated by origin boundaries, enabling session hijacking, credential theft, and cross-site data manipulation. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-12304 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication, including custom-built images that bundle Firefox or Thunderbird binaries.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.1 Critical and weighting it against each environment's compliance policy to surface priority-appropriate alerts, routing findings to the correct team inbox within the customer organization.
AvailableA patched-image rebuild at Firefox 152 and Firefox ESR 140.12 (and the equivalent Thunderbird versions) becomes available through HarborGuard once the fix versions are confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected Firefox or Thunderbird instance over the network, as the attack vector is Network (AV:N).
- AuthenticationNot required
No account or session credential is needed before exploitation; the vulnerability is reachable by any unauthenticated party (PR:N).
- Victim interactionNot required
Exploitation does not require the user to click a link, open a file, or take any other action; the attack proceeds without user interaction (UI:N).
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.
Blast Radius
- A successful attacker reads cookie values across origin boundaries, enabling theft of session tokens and authentication cookies scoped to other sites.
- The attacker writes or overwrites cookies for foreign origins, allowing session fixation attacks or poisoning of cookie-based application state.
- Cross-origin cookie access exposes any credential, preference, or tracking data stored in cookies by co-hosted or visited web applications.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12304 is active across all connected registries and pipelines, matching any image that ships Firefox or Thunderbird binaries against the affected version ranges. Where compliance policy permits, a patched-image rebuild targeting Firefox 152 or Firefox ESR 140.12 (and the corresponding Thunderbird releases) is queued automatically. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation will see the CVE flagged in their HarborGuard dashboard with fix-version guidance and a one-click rebuild option.
Fix available
- Mozilla / FirefoxFixed in 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N