MEDIUM 6.5

CVE-2026-49144: BrowserStack Runner Path Traversal – Unauthenticated File Read Vulnerability

BrowserStack Runner versions up to 0.9.5 contain a path traversal flaw that allows attackers on the same network to read sensitive files from affected systems. The vulnerability exists in an unauthenticated HTTP server that runs by default, giving attackers a direct avenue to escape the intended project directory and access files elsewhere on the filesystem. No special privileges or user interaction are required to exploit this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49144 is a path traversal vulnerability (CWE-22) in the _default HTTP handler within lib/server.js of BrowserStack Runner. The vulnerability allows unauthenticated, network-adjacent attackers to construct specially crafted HTTP requests that traverse the filesystem using path manipulation techniques (such as ../ sequences). The HTTP server is bound to all interfaces by default, meaning any attacker with network access—whether on the local subnet or a compromised adjacent system—can send requests to read arbitrary files on the affected host. The lack of authentication and input validation on file paths makes this vulnerability straightforward to exploit.

Business impact

This vulnerability enables attackers to exfiltrate sensitive data stored on systems running vulnerable versions of BrowserStack Runner. Potential exposure includes configuration files, API keys, credentials, source code, test data, and other proprietary or confidential information. For organizations relying on BrowserStack Runner in development or CI/CD pipelines, successful exploitation could lead to credential compromise, intellectual property theft, and lateral movement within the network. The lack of any detection by default makes the risk especially acute.

Affected systems

BrowserStack Runner through version 0.9.5 is affected. Organizations should audit deployments of this tool, particularly in development environments, CI/CD platforms, and test infrastructure. Any system with BrowserStack Runner running on a network where an attacker could gain layer 2 or layer 3 adjacency is at risk.

Exploitability

Exploitability is high. The attack requires only network access to the HTTP server—no authentication credentials, no special configuration changes, and no user interaction. An attacker can probe for the running service and send path traversal requests manually using basic HTTP tools. The CVSS vector (AV:A) reflects the network adjacency requirement, but this is not a significant barrier in many real-world scenarios, including compromised cloud instances, shared hosting environments, or internal networks with lateral movement capabilities.

Remediation

Upgrade BrowserStack Runner to a patched version that fixes the path traversal flaw. Verify with the BrowserStack security advisory for the minimum safe version. In the interim, restrict network access to systems running vulnerable versions by using firewall rules to limit which hosts can reach the HTTP server, preferably binding the server to localhost only if remote access is not required. Disable or isolate the affected instances until a patch can be applied.

Patch guidance

Check the official BrowserStack advisory and release notes for guidance on upgrading to a patched version. Once a patch is confirmed available, prioritize deployment to all systems running BrowserStack Runner, especially those in development, staging, and CI/CD environments. Verify the patch by confirming the version matches the minimum fixed version stated by the vendor. Test the upgrade in a non-production environment first to ensure no disruption to build or test workflows.

Detection guidance

Monitor HTTP access logs for patterns consistent with path traversal attempts, such as requests containing ../ sequences or encoded variants (%2e%2e%2f) targeting the HTTP server. Correlate access patterns with BrowserStack Runner service activity. Check for any failed or successful file-read operations outside the project root. Network-based detection can flag HTTP requests to the default BrowserStack Runner ports containing suspicious path sequences. Endpoint-side file integrity monitoring may alert on unexpected reads of sensitive files from the service process.

Why prioritize this

Although the CVSS score is moderate (6.5), this vulnerability merits prompt attention because it requires no authentication, no user interaction, and enables direct file exfiltration. In development and CI/CD environments where BrowserStack Runner often runs, exposure of build secrets, API keys, and source code can rapidly compound organizational risk. The ease of exploitation and broad potential for data theft justify prioritization ahead of higher-scoring vulnerabilities that are harder to exploit.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects a high confidentiality impact (C:H) offset by the requirement for network adjacency (AV:A) and the absence of integrity or availability impact. The score appropriately captures the threat of unauthorized data access while acknowledging that the attack vector is narrower than internet-wide exposure. However, in many enterprise settings where network segmentation is weak or where the affected system is cloud-hosted, the practical risk may exceed the base score.

Frequently asked questions

How do I know if my systems are running a vulnerable version of BrowserStack Runner?

Check the version of BrowserStack Runner installed on your systems. Any installation at version 0.9.5 or earlier is affected. Use package managers or the application's about/version dialog to confirm. If you are unsure of the deployment footprint, scan your environment for processes and services associated with BrowserStack Runner.

Is the HTTP server always running and exposed by default?

Yes. BrowserStack Runner's HTTP server is enabled by default and bound to all network interfaces, making it accessible to any host with network connectivity to the affected system. If your network permits lateral movement or if the system is cloud-hosted, the exposure is especially significant.

What is the difference between this vulnerability and authenticated path traversal flaws?

This vulnerability requires no credentials or login. An attacker does not need to compromise a user account or obtain an API token; they simply need network access to send HTTP requests. This dramatically lowers the barrier to exploitation compared to authenticated vulnerabilities and is why this flaw poses a material risk even with a moderate CVSS score.

Can I safely run BrowserStack Runner on an isolated development machine?

Running the tool on a machine with restricted network access—such as localhost-only or behind a firewall that blocks external connections—reduces but does not eliminate risk if the system itself is compromised or if a user is already inside the network. Patching remains the definitive fix; network isolation is a temporary compensating control.

This analysis is based on publicly available vulnerability data and the vendor's advisory as of the publication date. Security teams should verify all patch versions and compatibility information against the official BrowserStack security advisory and release notes. The practical risk of this vulnerability may vary based on network architecture, access controls, and deployment context. No guarantee is made regarding the completeness or real-time accuracy of detection or remediation guidance; security teams should validate all recommendations in their own environment before implementing production changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).