CVE-2026-49144: browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server

June 3, 2026

The HTTP server in browserstack-runner serves files from the project directory via the _default handler. This handler uses path.join(process.cwd(), uri) to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0.0 (all interfaces) and the absence of any authentication, this allows an unauthenticated network-adjacent attacker to read arbitrary files from the host filesystem.

References

github.com/advisories/GHSA-8rpw-6cqh-2v9h
github.com/browserstack/browserstack-runner/security/advisories/GHSA-8rpw-6cqh-2v9h
nvd.nist.gov/vuln/detail/CVE-2026-49144
www.vulncheck.com/advisories/browserstack-runner-path-traversal-via-default-http-handler

Code Behaviors & Features

Detect and mitigate CVE-2026-49144 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →