VULNERABILITY
A same-origin policy (SOP) bypass vulnerability was identified in the Networking: JAR component of Mozilla Firefox and Mozilla Thunderbird. The BLE stack and input processing components accept peripheral devices with insufficient verification. The affected versions fail to properly enforce origin restrictions when handling JAR (Java Archive) URI content, allowing malicious scripts loaded via the jar: URI scheme to access resources across different origins. This implementation flaw in origin validation allows cross-origin data access that should otherwise be strictly prohibited by the browser’s security model.
IMPACT
Successful exploitation allows a network-based attacker to bypass fundamental browser security boundaries without requiring any user interaction or elevated privileges. This can lead to unauthorized access to sensitive cross-origin data including authentication tokens, session cookies, and personal information from other origins. The combination of a network attack vector, low attack complexity, and no authentication requirement means this vulnerability could be exploited at scale against any user running a vulnerable version of Firefox or Thunderbird, potentially resulting in complete compromise of user sessions and sensitive data exfiltration.
CVE ID
CVE-2026-2790
Vulnerability Type
Authentication Bypass / Same-Origin Policy Bypass
CWE
CWE-346 – Origin Validation Error
Vendor
Mozilla
Affected Products
Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, Thunderbird ESR < 140.8
CVSS Score
9.8 (Critical)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Privileges Required
None
User Interaction
None
DISCLOSURE TIMELINE
24 Feb 2026 CVE-2026-2790 published to NVD
26 Feb 2026 Last updated in NVD database
27 Feb 2026 Advisory published
CREDITS
Surya Dev Singh– Payatu Security Consulting Pvt. Ltd.
