CVE-2026-2803
Published: 24 February 2026
Description
Information disclosure, mitigation bypass in the Settings UI component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mandates protection of the contingency plan against unauthorized disclosure, reducing exposure of sensitive recovery and operational information.
The integrated analysis team enables faster detection and containment of incidents involving unauthorized exposure of sensitive information, limiting attacker success in exploiting such weaknesses.
Protecting the incident response plan from unauthorized disclosure prevents exposure of sensitive organizational details and response procedures to unauthorized actors.
Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.
Requires explicit protection of plans from unauthorized disclosure, directly reducing exposure of sensitive system and privacy information contained in them.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Mandates determining protection needs from defined processes, reducing the likelihood that protection mechanisms are omitted or ineffective by design.
Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design.
Security SummaryAI
CVE-2026-2803 is an information disclosure and mitigation bypass vulnerability in the Settings UI component of Mozilla Firefox and Thunderbird. It affects versions of these products prior to Firefox 148 and Thunderbird 148, in which the issue was fixed. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-693 (Protection Mechanism Failure).
The vulnerability can be exploited by any remote, unauthenticated attacker with network access and low attack complexity, requiring no user interaction. Successful exploitation enables the attacker to obtain high-impact disclosure of sensitive information from the affected browser or email client while bypassing existing security mitigations.
Mozilla's security advisories MFSA 2026-13 and MFSA 2026-16, along with Bugzilla entry 2012012, detail the patch applied in Firefox 148 and Thunderbird 148. Security practitioners should prioritize updating affected instances to these versions or later to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Info disclosure + mitigation bypass in browser/email client Settings UI directly enables local data/credential harvesting from the affected application.