CVE-2024-52928 – This vulnerability in the Arc browser for Windo... (How to Fix)

Q: What is the severity of CVE-2024-52928?

CVE-2024-52928 has a CVSS score of 9.6 (CRITICAL). This vulnerability in the Arc browser for Windows allows websites with previously granted permissions to add new permissions when users click anywhere on the page. It affects Arc browser users on Windows who have granted any permissions to websites.

📋 TL;DR

This vulnerability in the Arc browser for Windows allows websites with previously granted permissions to add new permissions when users click anywhere on the page. It affects Arc browser users on Windows who have granted any permissions to websites.

💻 Affected Systems

Products:

Arc Browser

Versions: All versions before 1.26.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows version of Arc browser. Requires user to have previously granted at least one permission to the website.

📦 What is this software?

Arc by Thebrowser

View all CVEs affecting Arc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain full control over browser permissions, accessing sensitive data like camera, microphone, location, and notifications without user consent.

🟠

Likely Case

Malicious websites could silently add permissions for notifications, location access, or other capabilities to track users or deliver unwanted content.

🟢

If Mitigated

With proper browser updates and user awareness, impact is limited to temporary inconvenience from unwanted permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking anywhere on malicious page) but is trivial once initial permissions are granted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.1

Vendor Advisory: https://arc.net/security/bulletins#windows-site-settings-bypass-cve-2024-52928

Restart Required: Yes

Instructions:

1. Open Arc browser. 2. Click menu → About Arc. 3. Browser will auto-update if not on 1.26.1+. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable site permissions

windows

Revoke all website permissions in Arc settings

Open Arc → Settings → Privacy and Security → Site Settings → Review and remove permissions

Use alternative browser

windows

Temporarily switch to another browser until patched

🧯 If You Can't Patch

Avoid clicking on untrusted websites, especially those with existing permissions
Regularly review and clear site permissions in Arc settings

🔍 How to Verify

Check if Vulnerable:

Check Arc version in menu → About Arc. If version is below 1.26.1, you are vulnerable.

Check Version:

Open Arc browser and navigate to menu → About Arc

Verify Fix Applied:

Confirm version is 1.26.1 or higher in About Arc menu.

📡 Detection & Monitoring

Log Indicators:

Unexpected permission grants in browser logs
Multiple permission requests from same site

Network Indicators:

Sites requesting unusual permissions combinations

SIEM Query:

browser:arc AND event:permission_grant AND version:<1.26.1

📊 Metadata

CVE ID: CVE-2024-52928

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: June 26, 2025

Last Updated: July 10, 2025

🔗 References

https://arc.net/security/bulletins#windows-site-settings-bypass-cve-2024-52928 Vendor Advisory
https://thebrowser.company Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52928, you might also want to check these: