Intel

AIKIDO-2026-121408

browser-use is vulnerable to Incorrect Default Permissions

Incorrect Default Permissions Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

50

Medium Risk

This Affects:

PYTHONbrowser-use
0.12.3 - 0.12.7
Fixed in 0.12.8
Are you affected? Scan for Free

TL;DR

The browser-use CLI runs a background daemon that listens on a Unix domain socket for session commands. On Unix hosts the daemon creates the socket with the process umask, leaving the socket file world-accessible so other local users can connect() to and probe the daemon. A per-session HMAC token gates command dispatch, but the permissive socket file still exposes the local endpoint to co-tenants on multi-user systems before the handshake fails. The fix binds the socket under a restrictive umask and explicitly sets the socket file permissions to owner-only.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and running the CLI daemon on a multi-user host.

Background info

browser-use is vulnerable to Incorrect Default Permissions in versions 0.12.3 - 0.12.7.

How to fix this

Upgrade the browser-use library to the patch version.