External risk intelligence

Lightpanda Cookie Handling Vulnerability Allows Authenticated Cross-Origin Requests

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-52843

This is a client-side vulnerability affecting how a headless browser handles session cookies during HTTP requests. It is a library-level or developer-tool issue used within applications rather than a standalone network-facing service or appliance, meaning it lacks a direct, public-internet-facing attack surface in common deployment patterns.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Lightpanda headless browser could allow an attacker to issue authenticated cross-origin requests by bypassing session cookie handling. This could potentially lead to unauthorized access to sensitive information or actions on behalf of a user within a Lightpanda session. The main concern is confirming relevance and exposure.

  • Browser flaw sends session cookies automatically.
  • Could enable unauthorized cross-origin requests.
  • Confirm if your applications use affected browser.

Attack Path

How an attacker could exploit the issue

An attacker could potentially leverage this vulnerability by tricking a user into interacting with a malicious origin served by a vulnerable Lightpanda instance. This interaction could lead to the unauthorized transmission of session cookies, enabling the attacker to perform authenticated cross-origin requests on behalf of the victim.

  • Requires user interaction with malicious origin.
  • Unconditionally attaches session cookies to requests.
  • Enables authenticated cross-origin requests.

Live Threat

Current exploitation, exposure, and threat context

When the Lightpanda headless browser is used in a vulnerable configuration, an attacker-controlled origin could issue authenticated cross-origin requests to a victim origin. This is because session cookies were unconditionally attached to all HTTP requests, regardless of the specified credential policy.

  • Authenticated session cookies.
  • Cross-origin requests.
  • Unauthorized access to services.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams responsible for integrating Lightpanda into their automation workflows should prioritize addressing this vulnerability. The immediate next step is to inventory all instances of Lightpanda, determine their exposure and criticality, and identify the accountable owner for each. Remediation planning should then be based on this risk assessment.

  • Application or platform teams own this issue.
  • Verify Lightpanda deployment and reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Lightpanda?

Lightpanda is a headless browser designed specifically for AI and automation tasks. Unlike standard desktop browsers, it runs without a visible user interface, allowing developers to programmatically navigate the web, scrape data, or interact with web applications within automated workflows.

How does CVE-2026-52843 work?

This vulnerability is classified as CWE-346, or Origin Validation Error. The browser incorrectly handles session cookies by attaching them to every HTTP request, regardless of security settings. This flaw allows a malicious website visited during a session to send authenticated requests to other origins as if the user were legitimately performing the action.

Does this bug happen for all requests?

The issue specifically occurs when the browser manages session cookies during cross-origin requests. It does not necessarily trigger for standard, same-origin navigation. The vulnerability manifests because the browser ignores developer-defined security policies—like 'credentials: omit' or 'same-origin'—that are meant to prevent cookies from being sent to untrusted domains.

Is my software vulnerable according to Halo Surface Signal?

Halo Surface Signal indicates this is a library-level or developer-tool issue rather than a standalone, public-facing service. Because Lightpanda is typically embedded within applications as a tool, its exposure depends on how your specific automation software is built and what it browses, rather than being a directly internet-exposed appliance.

How do I fix the Lightpanda vulnerability?

The fix for this security flaw is to update your Lightpanda installation to version 0.2.9 or later. Platform teams should first inventory where the browser is integrated in their automation workflows to confirm which instances are running outdated versions, then prioritize patching these environments to restore proper credential handling.

References