CVE-2026-10937: Chrome Same-Origin Policy Bypass in Password Handling
CVE-2026-10937 is a same-origin policy bypass vulnerability in Google Chrome's password handling logic. An attacker can craft a malicious HTML page that, when visited by a user, exploits an implementation flaw to circumvent Chrome's same-origin policy protections. This could allow unauthorized script execution or data access across domain boundaries, though the actual impact depends on how the flaw is chained with other browser capabilities. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inappropriate implementation in Chrome's password management component, classified under improper restriction of rendered UI layers to intended boundaries (CWE-346). The same-origin policy (SOP) is a fundamental browser security model that prevents scripts and resources from one origin from accessing those of another. This flaw allows a remote attacker to bypass that protection via a specially crafted HTML page, earning a Chromium security severity rating of High. The CVSS 3.1 score of 6.5 (MEDIUM) reflects a network-based attack with low complexity, no privileges required, but user interaction necessary, with high integrity impact but no confidentiality or availability impact—suggesting the vulnerability enables unauthorized modification or injection rather than data theft or service disruption.
Business impact
If exploited, this vulnerability could allow attackers to manipulate password-related functionality or inject unauthorized content into sensitive web applications from attacker-controlled domains. For enterprises, the risk centers on credential interception, session hijacking via cross-origin scripts, or phishing attacks that exploit Chrome's password autofill features. Users relying on Chrome's built-in password manager are particularly exposed if an attacker crafts a page that bypasses origin boundaries to access or modify stored credentials or inject fake password prompts. The requirement for user interaction mitigates widespread automated exploitation, but targeted attacks remain feasible.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. This includes all stable, beta, dev, and canary releases below that version number across Windows, macOS, Linux, Android, and iOS platforms. Organizations running Chrome on workstations, Chromebooks, or via Chrome Remote Desktop should prioritize verification of current versions. Note that Chromium-based browsers built on older Chromium source may also be vulnerable depending on their base version and vendor patches.
Exploitability
This vulnerability requires user interaction—the attacker must trick a user into visiting a crafted HTML page. There is no evidence of active exploitation in the wild (CVE-2026-10937 is not listed on the CISA Known Exploited Vulnerabilities catalog). However, the attack vector is network-based and the barrier to entry is low: an attacker needs only to host a malicious page and socially engineer a visit. The complexity is low, suggesting the exploit technique is relatively straightforward once discovered. Organizations should assume that proof-of-concept or weaponized exploits will emerge shortly after public disclosure, especially given the High severity rating from Chromium.
Remediation
Immediate action: update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default, but users and administrators should verify the current version via Chrome menu > Help > About Google Chrome and confirm the update has completed. For enterprise deployments, administrators can force updates via group policy (Windows) or mobile device management (MDM) policies for Chrome OS and mobile devices. Test functionality of password autofill and cross-origin authentication flows post-update to ensure no regressions. Monitor for any security advisories from Google related to this CVE in case additional mitigations are recommended.
Patch guidance
Google has released Chrome 149.0.7827.53 or later to address this vulnerability. Verify patching by checking chrome://version/ in the browser address bar. Enterprise administrators deploying via managed environments should reference Google's official Chrome security release notes to confirm the build number and deployment timeline. Rollback is unlikely to be necessary unless the patched version introduces critical regressions; in that case, coordinate with Google support and apply any subsequent security patches immediately. For Chromebook environments, ensure automatic updates are enabled and the device has restarted to apply patches. Mobile Chrome users on iOS should update via the App Store; Android users should update via the Play Store or managed deployment tools.
Detection guidance
Detection of exploitation attempts is challenging without access to Chrome's internal logging. Organizations can implement network monitoring to identify suspicious HTML page requests or injection attempts, particularly from untrusted sources. Endpoint Detection and Response (EDR) tools can monitor for unexpected JavaScript execution or credential manager access from unusual processes. Browser-based monitoring via Chrome security extensions or enterprise policy enforcement can log warnings when same-origin policy violations are detected, though the vulnerability itself bypasses these mechanisms. Consider monitoring for increased phishing or credential-harvesting campaigns targeting your user base, as attackers may pair this flaw with social engineering. SIEM correlation of failed login attempts, unauthorized password manager access, or cross-origin requests may provide indirect signals.
Why prioritize this
While the CVSS score is MEDIUM (6.5), the context elevates priority: (1) Chrome's ubiquity in enterprise environments means exposure is widespread; (2) same-origin policy bypass is a fundamental browser security failure with potential for chaining with other attacks; (3) password manager exploitation directly threatens credential security; (4) the High Chromium severity rating indicates Google's own assessment is severe; (5) rapid patch availability means risk can be mitigated quickly with proper update deployment. Organizations should treat this as HIGH priority for patching within 2–4 weeks, not as low-severity due to CVSS alone.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects: Network-based attack vector (AV:N) favors exploitation ease; Low attack complexity (AC:L) means the exploit is not sophisticated; No privileges required (PR:N) and user interaction required (UI:R) indicate attack feasibility but not automated weaponization; Unchanged scope (S:U) means the impact is limited to the affected component; No confidentiality impact (C:N) suggests no direct data theft; High integrity impact (I:H) means unauthorized modification is possible; No availability impact (A:N) indicates no service disruption. The score appropriately reflects a serious but not catastrophic vulnerability. However, the Chromium HIGH severity rating and password-management context suggest functional risk may exceed the numeric score for security teams focused on identity and credential protection.
Frequently asked questions
Does this vulnerability affect Chrome on mobile devices?
Yes. The vulnerability affects Google Chrome on Android, iOS, and all other platforms running affected versions prior to 149.0.7827.53. Mobile users should ensure Chrome is updated via the Play Store (Android) or App Store (iOS). Mobile device management (MDM) solutions can enforce updates enterprise-wide.
If a user has two-factor authentication (2FA) enabled on their accounts, does this vulnerability still pose a risk?
Yes. While 2FA mitigates certain account takeover scenarios, this vulnerability's integrity impact could allow an attacker to inject fake password prompts or manipulate password autofill behavior across domain boundaries. Phishing and social engineering attacks could still succeed. 2FA does not prevent all downstream harm from a same-origin policy bypass.
How can I confirm that the patch has been successfully applied?
Open Google Chrome, click the menu icon (three horizontal lines), select Help > About Google Chrome, and note the version number displayed. If it is 149.0.7827.53 or later, the patch has been applied. Chrome will also display a notification when an update is ready; restarting the browser ensures the update takes effect.
Is this vulnerability being actively exploited in the wild?
As of the published date (June 4, 2026), there is no evidence of active exploitation. CVE-2026-10937 is not on CISA's Known Exploited Vulnerabilities (KEV) list. However, organizations should assume that proof-of-concept exploits will emerge following public disclosure, so timely patching is essential.
This vulnerability intelligence is provided for informational purposes. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this analysis. Patch version numbers, affected product lists, and CVSS scores are derived from official vendor advisories and public CVE records; verify against Google's official Chrome security release notes before deployment. Organizations should conduct their own risk assessment and testing in non-production environments prior to broad patching. This content is not a substitute for professional security consultation or incident response services. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability