OpenAI Atlas: XSS enables browser history exfiltration — AWAITING NVD (CVE-2026-11326)

CISO Take

OpenAI Atlas, a browser extension used by ChatGPT users, improperly exposed privileged browser APIs—including full browsing history access and tab open/close control—to any script running on *.openai.com origins, meaning a cross-site scripting flaw in forum.openai.com was sufficient to weaponize the extension against visiting users. The attack requires no special privileges: an adversary only needs to plant or find an XSS payload on the OpenAI forum, a commonly-visited and inherently trusted domain for the target audience, to silently harvest browsing history or redirect tabs to attacker-controlled infrastructure. No active exploitation or public exploit code has been reported, CVSS and EPSS scores are not yet assigned, and the vulnerability is not in CISA KEV; however, the chaining potential with a trusted domain XSS makes the risk non-trivial for enterprises with employees using OpenAI tooling. Organizations should immediately upgrade Atlas to version 1.2025.288.15 or later, which restricts privileged API access to *.chatgpt.com only, and should audit AI-related browser extensions enterprise-wide for overly broad origin trust policies.

Sources: NVD ATLAS hacktron.ai

What is the risk?

MEDIUM. The vulnerability requires a two-step chain—an exploitable XSS in forum.openai.com plus a user who has Atlas installed and visits the compromised forum page—which limits opportunistic mass exploitation. However, the target demographic (security professionals, developers, CISOs evaluating AI tooling) routinely uses both the OpenAI forum and the Atlas extension, making spear-targeted attacks plausible. Browser history exfiltration can reveal sensitive internal URLs, authentication tokens embedded in redirect flows, and organizational SaaS footprints. Tab manipulation creates a vector for silent phishing redirects. The absence of CVSS scoring reflects NVD processing lag, not low severity.

Attack Kill Chain

Initial Access via XSS

Attacker plants or leverages a stored XSS payload in forum.openai.com, which executes in the *.openai.com trusted origin context when a user with Atlas installed visits the thread.

AML.T0049

Privilege Escalation via Extension API

The XSS script invokes privileged browser APIs exposed by Atlas to the *.openai.com origin, bypassing the extension's intended access controls without any additional user interaction.

AML.T0106

Browser History Exfiltration

The malicious script reads the victim's full browser history and exfiltrates it via fetch() to an attacker-controlled endpoint, exposing organizational URLs, SaaS application patterns, and potentially session tokens.

AML.T0025

Tab Manipulation for Follow-on Attack

Attacker uses the tab open/close API to silently redirect the victim to a credential-harvesting page while keeping the original forum tab visible, enabling stealthy phishing without triggering suspicion.

AML.T0048.003

Initial Access via XSS

Attacker plants or leverages a stored XSS payload in forum.openai.com, which executes in the *.openai.com trusted origin context when a user with Atlas installed visits the thread.

AML.T0049

Privilege Escalation via Extension API

The XSS script invokes privileged browser APIs exposed by Atlas to the *.openai.com origin, bypassing the extension's intended access controls without any additional user interaction.

AML.T0106

Browser History Exfiltration

The malicious script reads the victim's full browser history and exfiltrates it via fetch() to an attacker-controlled endpoint, exposing organizational URLs, SaaS application patterns, and potentially session tokens.

AML.T0025

Tab Manipulation for Follow-on Attack

Attacker uses the tab open/close API to silently redirect the victim to a credential-harvesting page while keeping the original forum tab visible, enabling stealthy phishing without triggering suspicion.

AML.T0048.003

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

PATCH

Upgrade OpenAI Atlas to version 1.2025.288.15 or later on all endpoints. This restricts privileged API exposure to *.chatgpt.com only, eliminating the broad *.openai.com trust anchor.
AUDIT

Enumerate all AI-related browser extensions across the fleet (Chrome, Edge enterprise policies); review which extensions use broad origin match patterns in their manifest permissions.
DETECT

Review browser extension audit logs via endpoint management tooling (e.g., Chrome Enterprise, Jamf) for Atlas version compliance.
MONITOR

Watch for anomalous tab behavior or unexpected navigation events in browser telemetry from users who frequent forum.openai.com.
POLICY

Enforce extension allowlisting in enterprise browsers and require security review before approving AI productivity extensions that request broad host permissions.

Classification

Auth Bypass Data Extraction Privacy Violation Plugin API AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0087 - Gather Victim Identity Information AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.6 - Information security in AI system development

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks and benefits

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-11326?

OpenAI Atlas, a browser extension used by ChatGPT users, improperly exposed privileged browser APIs—including full browsing history access and tab open/close control—to any script running on *.openai.com origins, meaning a cross-site scripting flaw in forum.openai.com was sufficient to weaponize the extension against visiting users. The attack requires no special privileges: an adversary only needs to plant or find an XSS payload on the OpenAI forum, a commonly-visited and inherently trusted domain for the target audience, to silently harvest browsing history or redirect tabs to attacker-controlled infrastructure. No active exploitation or public exploit code has been reported, CVSS and EPSS scores are not yet assigned, and the vulnerability is not in CISA KEV; however, the chaining potential with a trusted domain XSS makes the risk non-trivial for enterprises with employees using OpenAI tooling. Organizations should immediately upgrade Atlas to version 1.2025.288.15 or later, which restricts privileged API access to *.chatgpt.com only, and should audit AI-related browser extensions enterprise-wide for overly broad origin trust policies.

Is CVE-2026-11326 actively exploited?

No confirmed active exploitation of CVE-2026-11326 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-11326?

1. PATCH: Upgrade OpenAI Atlas to version 1.2025.288.15 or later on all endpoints. This restricts privileged API exposure to *.chatgpt.com only, eliminating the broad *.openai.com trust anchor. 2. AUDIT: Enumerate all AI-related browser extensions across the fleet (Chrome, Edge enterprise policies); review which extensions use broad origin match patterns in their manifest permissions. 3. DETECT: Review browser extension audit logs via endpoint management tooling (e.g., Chrome Enterprise, Jamf) for Atlas version compliance. 4. MONITOR: Watch for anomalous tab behavior or unexpected navigation events in browser telemetry from users who frequent forum.openai.com. 5. POLICY: Enforce extension allowlisting in enterprise browsers and require security review before approving AI productivity extensions that request broad host permissions.

What systems are affected by CVE-2026-11326?

This vulnerability affects the following AI/ML architecture patterns: AI browser extensions, LLM web interfaces, AI productivity tooling.

What is the CVSS score for CVE-2026-11326?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

AI browser extensionsLLM web interfacesAI productivity tooling

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0087 Gather Victim Identity Information

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.6

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.

Exploitation Scenario

An attacker researching OpenAI Atlas identifies that the extension grants privileged browser API access to any script on *.openai.com. They discover or craft a stored XSS payload in a publicly accessible thread on forum.openai.com—a developer support forum where CISOs and AI engineers commonly seek help. When a targeted user with Atlas installed loads the thread, the injected script executes in the *.openai.com trusted origin context and invokes the exposed Atlas browser APIs. The script silently calls the history API to enumerate the past 30 days of browsing history, exfiltrates it to an attacker-controlled endpoint via fetch(), and simultaneously opens a new tab pointing to a lookalike login page for the victim's corporate SSO. The original forum thread remains visible and functional, giving the victim no indication that anything unusual occurred.