PatchSiren cyber security CVE debrief
CVE-2026-11326 OpenAI CVE debrief
A cross-site scripting vulnerability was discovered in OpenAI Atlas before version 1.2025.288.15. The issue exposed privileged browser APIs to web content on *.openai.com origins, which could be exploited via a cross-site scripting vulnerability in forum.openai.com. This could allow attackers to access browser history information and open or close tabs. The vulnerability has been addressed in OpenAI Atlas version 1.2025.288.15, which narrows access to these APIs to *.chatgpt.com.
- Vendor
- OpenAI
- Product
- OpenAI Atlas
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of OpenAI Atlas, particularly those using versions before 1.2025.288.15, should be aware of this vulnerability and upgrade to the latest version to mitigate the risk.
Technical summary
CVE-2026-11326 is a cross-site scripting vulnerability in OpenAI Atlas before 1.2025.288.15. It exposed privileged browser APIs to web content on *.openai.com origins, allowing access to browser history and tab control via a cross-site scripting vulnerability in forum.openai.com. The CVSS score for this vulnerability is 6, indicating a medium severity.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to OpenAI Atlas version 1.2025.288.15 or later to mitigate the vulnerability.
Evidence notes
The vulnerability was reported by Hacktron, as referenced in their blog post [ref-4].
Official resources
-
CVE-2026-11326 CVE record
CVE.org
-
CVE-2026-11326 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
8f4f43ab-ba69-4d92-aa1d-d772184d6fb7
CVE-2026-11326 was published on 2026-06-05T02:17:11.180Z and modified on 2026-06-05T18:17:04.343Z.