CVE-2026-11326

Severity CVSS v4.0:

Pending analysis

Type:

CWE-284 Improper Access Control

Publication date:

05/06/2026

Last modified:

05/06/2026

Description

OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.

Impact

References to Advisories, Solutions, and Tools

https://www.hacktron.ai/blog/hacking-openai-atlas-browser