CVE-2026-8950

Vulnerability

CVE-2026-8950 is a same-origin policy bypass in the Networking: HTTP component of Mozilla Firefox, Firefox ESR, and Thunderbird. This vulnerability is present in Firefox versions before 151, Firefox ESR versions before 140.11, Thunderbird versions before 151, and Thunderbird versions before 140.11 [1][2][3][4]. The exact mechanism is not detailed in the available references, but it involves the HTTP component's handling of cross-origin requests [1].

Exploitation

An attacker would need to convince a user to visit a malicious website [2]. The attack can be performed in a browser context; in Thunderbird, scripting is disabled when reading email, so exploitation via email is not feasible [2][3]. The specific conditions required to trigger the bypass are not publicly described [1].

Impact

A successful exploitation of this same-origin policy bypass could allow an attacker to read data from a different origin, leading to information disclosure. The impact is rated as moderate in the respective security advisories [1][2][3][4].

Mitigation

This vulnerability is fixed in Firefox 151 [1], Firefox ESR 140.11 [4], Thunderbird 151 [2], and Thunderbird 140.11 [3], all released on May 19, 2026. Users should update to these versions or later. No workarounds have been disclosed [1].