How is CVE-2026-49144 exploited?

Network reachability (info): The attacker must be on an adjacent network (LAN, VPN, or equivalent), as the vulnerable HTTP server is bound on all interfaces but reachable from the local network segment rather than the open internet. Authentication (not-required): The HTTP server exposed by BrowserStack Runner performs no authentication, so any adjacent-network host can send exploit requests without credentials. Victim interaction (not-required): No user action is needed; the attacker sends crafted HTTP requests directly to the listening server. Attack complexity (info): Exploitation is straightforward and condition-free: no race conditions or special environmental state are required to successfully traverse the path.

What is the impact of CVE-2026-49144?

Reads arbitrary files accessible to the BrowserStack Runner process, including files outside the project root such as private keys, API tokens, and shell configuration files. Exposes environment variable files (for example .env files) that may contain database passwords, cloud provider credentials, or third-party service secrets. Allows enumeration of directory structures and application source code, giving an attacker a map of the host for follow-on attacks.

Back to search

HIGHCVE-2026-49144Published 2026-06-02Modified 2026-06-03CNA VulnCheck

CVE-2026-49144: BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Path traversal vulnerability in BrowserStack Runner (versions up to and including 0.9.5) allows unauthenticated attackers on the same network to read arbitrary files from the host. The flaw is in the _default HTTP handler in lib/server.js, which binds on all interfaces without authentication, letting attackers craft requests that walk outside the intended project root directory. Successful exploitation gives the attacker read access to any file the process can reach on disk, including secrets, credentials, and configuration files. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle browserstack-runner. Any image with a vulnerable version of the package is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network (LAN, VPN, or equivalent), as the vulnerable HTTP server is bound on all interfaces but reachable from the local network segment rather than the open internet.
AuthenticationNot required
The HTTP server exposed by BrowserStack Runner performs no authentication, so any adjacent-network host can send exploit requests without credentials.
Victim interactionNot required
No user action is needed; the attacker sends crafted HTTP requests directly to the listening server.
Attack complexityDetail
Exploitation is straightforward and condition-free: no race conditions or special environmental state are required to successfully traverse the path.

Blast Radius

Reads arbitrary files accessible to the BrowserStack Runner process, including files outside the project root such as private keys, API tokens, and shell configuration files.
Exposes environment variable files (for example .env files) that may contain database passwords, cloud provider credentials, or third-party service secrets.
Allows enumeration of directory structures and application source code, giving an attacker a map of the host for follow-on attacks.

How HarborGuard Handles This

Available on HarborGuard: images containing browserstack-runner at or below version 0.9.5 are flagged as soon as the CVE is ingested, with no manual scan trigger required. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment one becomes available. In the interim, compensating controls are worth applying: use network policy to restrict access to the port bound by BrowserStack Runner to trusted hosts only, consider running the runner in an isolated container with a read-only filesystem mount limited to the project directory, and use egress filtering to limit what a compromised process can reach. For customers with auto-remediation enabled, the patched rebuild, regression test run, and PR against affected workloads will be initiated automatically once an upstream fix is published.

See how HarborGuard automates this

Affected packages

browserstack / browserstack-runner
≤ 0.9.5

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified