CVE-2026-4728

Medium

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Score 0.0001 1.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-9 Previous Logon Notification

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

AT-2 Literacy Training and Awareness

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

IA-12 Identity Proofing

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

IA-3 Device Identification and Authentication

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

IA-8 Identification and Authentication (Non-organizational Users)

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

IA-9 Service Identification and Authentication

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

SC-11 Trusted Path

addresses: CWE-290

Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

addresses: CWE-290

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

Security SummaryAI

CVE-2026-4728 is a spoofing vulnerability (CWE-290) in the Privacy: Anti-Tracking component of Mozilla Firefox and Thunderbird. The issue allows attackers to bypass authentication mechanisms through spoofing, earning a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N), classified as medium severity. It was addressed in Firefox version 149 and Thunderbird version 149.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity, but requires user interaction to succeed. Successful exploitation results in high integrity impact, enabling attackers to spoof anti-tracking protections without affecting confidentiality or availability.

Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) detail the fix, recommending immediate upgrade to Firefox 149 or Thunderbird 149. Additional technical details are available in Bugzilla entry 2013179.

Details

CWE(s): CWE-290

Affected Products

mozilla

firefox

≤ 149.0

mozilla

thunderbird

≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Spoofing-based auth bypass in browser anti-tracking directly enables adversary-in-the-middle attacks by allowing forged or impersonated tracking/auth signals.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2013179
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org