CVE-2026-10922: Chrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
CVE-2026-10922 is a same-origin policy bypass vulnerability in Google Chrome's Developer Tools that allows an attacker to access data or perform actions they normally shouldn't be able to. The flaw stems from inadequate validation of untrusted input, meaning malicious network traffic can exploit it if a user performs certain interactions with the DevTools interface. While the attack requires user interaction, it carries significant impact—unauthorized access to sensitive information, unauthorized modifications, or disruption of services are all possible. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability exists in Chrome's DevTools component and relates to insufficient input validation (CWE-20). DevTools typically operates with elevated privileges and can interact with web content across origins under normal circumstances. When a developer opens or interacts with DevTools, an attacker can use crafted network traffic to manipulate DevTools behavior, circumventing the same-origin policy that usually prevents cross-origin data access. The vulnerability requires the user to perform specific UI gestures—likely opening DevTools or interacting with certain UI elements—making it a user-assisted but otherwise remotely exploitable flaw. The attack vector is network-based, attack complexity is low, and no elevated privileges are required from the attacker's perspective.
Business impact
Organizations and individuals relying on Chrome for secure browsing face meaningful risk. An attacker who exploits this could access sensitive data displayed in web applications, session tokens, or credentials entered in one origin from another origin context—effectively breaking the fundamental isolation that underpins web security. For businesses, this could lead to unauthorized access to internal applications, customer data exfiltration, or manipulation of business-critical web services. The high severity rating reflects the combination of confidentiality, integrity, and availability impacts. End users are at risk of credential theft and data compromise when visiting attacker-controlled or compromised websites.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. The underlying issue may also affect or be related to Chromium-based components on Windows, macOS, and Linux. Other Chromium-based browsers (Edge, Brave, Opera, etc.) may warrant investigation depending on their version and sync with upstream Chromium patches. Apple macOS and the Linux kernel are listed as affected platforms, likely indicating that Chrome on those operating systems requires patching. Windows systems running vulnerable Chrome versions are similarly at risk.
Exploitability
The vulnerability is readily exploitable in a practical sense: it requires only network access and user interaction (opening or using DevTools). No authentication is needed, and attack complexity is low. However, it does depend on social engineering or user behavior—convincing a user to open DevTools or engage in specific UI gestures while visiting a malicious site. This is feasible through watering-hole attacks, phishing, or compromised advertisements. Once those conditions are met, exploitation is straightforward. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but its high severity and low barrier to exploitation mean active weaponization could occur.
Remediation
The immediate remedy is to update Google Chrome to version 149.0.7827.53 or later. Users should enable automatic updates in Chrome settings to ensure they receive this patch as soon as it rolls out. Organizations should validate patch deployment across their user base, especially for enterprise deployments. Additionally, consider restricting DevTools access in enterprise environments where feasible—some organizations disable DevTools for end users via group policy or browser configuration to reduce attack surface. Monitor for any signs of exploitation, such as unexpected data access or session hijacking.
Patch guidance
Google Chrome will deploy the fix in version 149.0.7827.53 or later. Verify the exact version released by checking Google's official security update page. Most users with auto-update enabled will receive the patch automatically within hours of the stable release. Enterprise administrators should test the patched version in a staging environment and then roll out via mobile device management (MDM) or group policy. For macOS and Linux users, ensure that Chrome updates are applied—package managers on Linux distributions should pull the patched version from upstream. After patching, force a browser restart to load the fixed binary.
Detection guidance
Detection during exploitation is challenging because the attack involves DevTools interaction and network traffic manipulation. Look for suspicious patterns: users with DevTools open accessing cross-origin resources, unusual network requests originating from or targeting DevTools components, or web application logs showing unexpected data access from unexpected origins. Monitor for sudden spikes in session hijacking or credential compromise correlated with Chrome usage. Endpoint detection and response (EDR) tools should flag abnormal Chrome process behavior or unusual inter-process communication. Network sensors looking for malicious payloads may detect the crafted network traffic if signatures are available post-analysis. Threat hunting should focus on identifying whether any user opened DevTools on a potentially malicious site during the vulnerability window.
Why prioritize this
This vulnerability merits immediate prioritization due to its high CVSS score (8.8), low attack complexity, and broad impact on confidentiality, integrity, and availability. Although user interaction is required, the barrier to social engineering DevTools interaction is low, especially in targeted campaigns. The same-origin policy is foundational to web security, and its bypass puts all sensitive web-based data at risk. Chrome's ubiquitous deployment across consumer and enterprise environments amplifies the blast radius. The absence of active exploitation in the KEV catalog provides a small window to patch before weaponization becomes widespread.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with low attack complexity and no privilege requirements. The score is driven primarily by the three impact metrics—confidentiality, integrity, and availability are all marked as HIGH because a successful exploit allows an attacker to read, modify, or disrupt web application functionality across origins. The scope is unchanged (User), meaning the impact is limited to the vulnerable component and its direct trust boundary, not the entire system. The user interaction requirement (UI:R) prevents a perfect 9.0+ score but does not reduce severity below 8.0. The scoring reasonably represents the real-world danger of a same-origin policy bypass.
Frequently asked questions
If I haven't opened DevTools, am I still vulnerable?
The vulnerability requires specific UI gestures to exploit—typically opening or interacting with DevTools. If you never open DevTools and a website has no way to force it open, your direct exposure is lower. However, automated enterprise deployments or developer tools that interact with DevTools programmatically could be exploited. The safest assumption is that any Chrome user visiting a malicious site faces risk if the attacker can trigger the necessary interaction, so update regardless.
Does this affect Chrome on my smartphone?
Chrome on Android and iOS may be affected depending on their version alignment with the main Chrome branch. Check your mobile device settings for Chrome version number and ensure automatic updates are enabled. Mobile browsers may have different DevTools behavior, but you should still update to the latest version as soon as possible.
What's the difference between this and a regular XSS vulnerability?
A traditional cross-site scripting (XSS) vulnerability allows an attacker to inject malicious code into a website that runs in the victim's browser. This vulnerability is different: it exploits DevTools itself to bypass the same-origin policy, potentially affecting multiple origins or allowing an attacker to access data from sites they did not inject code into. It's a fundamental flaw in the browser's security model rather than a website vulnerability.
Should my organization disable DevTools?
For high-security environments or non-technical users, disabling DevTools via group policy or browser configuration can reduce attack surface. However, developers and technical staff need DevTools for their work. A balanced approach is to restrict DevTools to known-good networks, educate users not to open it on untrusted sites, and ensure rapid patching. Disabling DevTools organization-wide is usually impractical unless you have very few developers.
This analysis is based on the CVE record and Chromium security advisory published as of 2026-06-17. CVSS scores and severity ratings reflect the vendor's assessment at the time of publication. Exploit code is not provided. Organizations should verify patch availability and compatibility in their specific environments before deployment. SEC.co does not endorse or recommend any particular mitigation strategy without understanding your risk profile and network architecture. This is informational content and should not be considered a substitute for professional security advice from your organization's security team or a qualified cybersecurity consultant. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)