MEDIUM 6.5

CVE-2026-10980: Chrome Same-Origin Policy Bypass in DevTools – Patch Guidance

Google Chrome versions before 149.0.7827.53 contain a flaw in DevTools that allows an attacker who has already compromised the browser's rendering engine to bypass the same-origin policy—a core security boundary that prevents websites from accessing each other's data. An attacker could craft a malicious HTML page to exploit this, potentially gaining unauthorized access to sensitive information from other websites.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-20
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10980 stems from insufficient input validation in Chrome's Developer Tools component. The vulnerability exists in the renderer process and permits an attacker with renderer compromise to craft a specially designed HTML page that circumvents same-origin policy enforcement. This is classified as CWE-20 (Improper Input Validation). The attack requires prior renderer process compromise, meaning the attacker must already have code execution in the browser tab context before leveraging this flaw to escalate their access capabilities.

Business impact

If exploited in the wild, this vulnerability could lead to data theft from other open website sessions, session hijacking, or credential harvesting. For organizations where employees use Chrome for sensitive work (banking, email, SaaS access), a compromised renderer could be weaponized to harvest cross-origin data. The requirement for prior renderer compromise moderates the risk in typical user scenarios, but targeted attacks against high-value targets (developers, researchers, finance professionals) may justify prioritization.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected. This includes all stable, beta, and extended-release channels of Chrome on Windows, macOS, Linux, Android, and iOS running vulnerable versions. Chromium-based browsers that incorporate the affected code path may also be impacted; verify with vendor documentation for edge browsers, Brave, Opera, or other Chromium derivatives.

Exploitability

Exploitation requires two conditions: (1) the attacker must first compromise the renderer process (via a separate vulnerability, malicious script injection, or other means), and (2) the user must then visit a crafted HTML page while the renderer is compromised. This two-stage requirement reduces the attack surface compared to remote code execution vulnerabilities. However, the logic flaw itself is not inherently difficult to weaponize once renderer access is achieved. Public exploit code is not known to exist as of publication, and this CVE has not been added to the CISA Known Exploited Vulnerabilities catalog.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates on restart; users can manually check for updates via Chrome menu > About Google Chrome. Organizations managing Chrome deployments should use Group Policy (Windows), managed preferences (macOS), or Mobile Device Management (MDM) to enforce the patched version. For Chromium-based derivatives, consult vendor-specific advisory and patch timelines.

Patch guidance

1. Users: Restart Chrome to trigger the auto-update mechanism or manually navigate to About Chrome to force update checks. 2. Administrators: Deploy version 149.0.7827.53 or later via your centralized update mechanism (WSUS, Jamf, Intune, MDM platform). 3. Organizations using extended-release channels should confirm that version 149.0.7827.53 is available in their deployment channel before mandating updates. 4. Verify patch application by checking Chrome://version in a new tab; confirm the version number matches or exceeds 149.0.7827.53.

Detection guidance

Monitor Chrome version inventory across your environment to identify instances running pre-149.0.7827.53 builds. Endpoint Detection and Response (EDR) tools should flag instances of Chrome process injection or unusual renderer process spawning, which may indicate exploitation attempts. Web Isolation or Enhanced Safe Browsing modes in Chrome can provide additional defense by sandboxing suspicious content. Network-based detection is challenging since the attack occurs post-renderer-compromise; focus on behavioral indicators such as anomalous cross-origin data exfiltration or unusual script execution patterns.

Why prioritize this

Although the CVSS score is 6.5 (MEDIUM) and the vulnerability is not yet on CISA's KEV list, the nature of same-origin policy bypass combined with Chrome's ubiquity in enterprise environments warrants near-term patching. The two-stage exploitation requirement (prior renderer compromise) prevents this from being critical, but it should not be deprioritized indefinitely. Organizations should patch within 30 days as part of routine Chrome maintenance, sooner if any evidence of renderer compromise (malware, watering hole attacks) is detected in the environment.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects attack complexity and user interaction requirements. Network-based delivery (AV:N), low attack complexity (AC:L), and no privilege requirement (PR:N) inflate the base score. However, user interaction is required (UI:R), scope is unchanged (S:U), and there is no confidentiality loss (C:N) to the user—only integrity compromise (I:H) to the same-origin security model. The score balances the severity of same-origin policy bypass against the practical requirement of prior renderer compromise, landing in the MEDIUM range rather than HIGH.

Frequently asked questions

Do I need to update immediately, or can I schedule this patch?

This is not a zero-day and has not been observed in active exploitation. You can schedule the patch within your normal maintenance cycle (30 days is a reasonable window), but do not delay indefinitely. If you detect evidence of renderer compromise or malware in your environment, accelerate the timeline to immediate.

Will Chrome auto-update for me, or do I need to do it manually?

Chrome auto-updates on restart by default. If you have disabled auto-updates via policy, you must manually trigger updates or deploy the patch via your management platform. Check your organization's Chrome configuration to confirm auto-update status.

Does this affect Chromium-based browsers like Edge, Brave, or Opera?

It may, depending on whether those browsers incorporate the vulnerable DevTools code path and version parity with Chrome. Review the security advisories from Edge, Brave, Opera, and other vendors to confirm their vulnerability and patch status; do not assume they are unaffected.

Is there any workaround if I cannot patch immediately?

There is no practical workaround. Mitigation options include: (1) disabling or restricting DevTools access via Chrome policy, (2) deploying Chrome in a web isolation or sandbox environment, or (3) temporarily using a non-Chromium browser for sensitive cross-origin workflows. However, these are temporary measures only; patching is the definitive fix.

This analysis is provided for informational purposes and does not constitute legal, security, or investment advice. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Organizations should independently verify all patch versions, affected product versions, and vendor advisories before making deployment decisions. Patch applicability, compatibility, and dependencies vary by environment; consult vendor documentation and test in a non-production environment before enterprise-wide rollout. The absence of public exploit code or KEV listing does not guarantee that exploitation does not occur; maintain vigilant monitoring regardless of official threat intelligence. Refer to Google's official Chromium security advisory and your vendor's guidance for the most current information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).