CVE-2026-10996: Chrome Same-Origin Policy Bypass in Web Workers
Google Chrome versions before 149.0.7827.53 contain a vulnerability in how Web Workers are implemented that could allow an attacker to bypass the same-origin policy—a fundamental browser security boundary. An attacker could craft a malicious HTML page that, when visited by a user, potentially accesses or modifies content from other websites in the victim's browser session. This requires user interaction (visiting the crafted page) but does not require any special browser features to be enabled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10996 is a same-origin policy (SOP) bypass vulnerability arising from inappropriate implementation in Google Chrome's Workers subsystem. The vulnerability exists in the Web Workers API, which allows scripts to run in background threads isolated from the main page context. The flaw enables a remote attacker to circumvent SOP protections through a specially crafted HTML page, potentially allowing access to cross-origin data or execution of actions in contexts where they should be restricted. The issue is classified as Medium severity by Chromium's security team and is categorized under CWE-346 (Origin Validation Error).
Business impact
If exploited, this vulnerability could lead to unauthorized data access across websites, credential theft from authenticated sessions, or unauthorized actions performed on behalf of users on vulnerable sites. Organizations should prioritize patching to prevent attackers from leveraging this to steal sensitive information, manipulate user data, or perform unauthorized transactions. The impact is particularly relevant for enterprises where employees visit untrusted sites or receive phishing emails with malicious links.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. This includes all stable-channel Chrome releases before that version number, as well as users on older Chromium-based browsers that have not received the upstream patch. Chrome on Windows, macOS, and Linux are all affected equally.
Exploitability
The vulnerability requires user interaction—specifically, a user must visit or be tricked into visiting an attacker-controlled or compromised website hosting the crafted HTML page. No elevated privileges, special browser settings, or complex interactions are needed beyond the initial page visit. The low complexity of exploitation (standard web attack pattern) and public availability of the attack surface make this a practical threat, though it is not yet tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Users and administrators must update Chrome to version 149.0.7827.53 or later. Organizations should enable automatic Chrome updates if not already configured, and verify that users on managed devices have completed the update. For IT teams, this can be validated through Chrome's built-in version reporting (chrome://version/) or mobile device management (MDM) tools in enterprise environments.
Patch guidance
Apply Chrome version 149.0.7827.53 or any subsequent release. On Windows and macOS, Chrome typically updates automatically; users can manually check for updates via Chrome menu > Help > About Google Chrome, which will prompt an immediate restart if an update is available. On Linux, verify your package manager has distributed the patched version. For enterprises using Google Chrome Enterprise, the patch should be available in the stable channel and can be pushed via Active Directory Group Policy or MDM tools.
Detection guidance
Monitor browser version telemetry across your organization to identify systems still running Chrome versions prior to 149.0.7827.53. Check Chrome enterprise reporting dashboards or MDM console for version compliance. On the endpoint level, inspect running Chrome processes or query the Chrome registry/application data for version information. Additionally, monitor web server logs for suspicious Worker-related requests or unusual cross-origin access patterns, though direct detection of exploitation attempts is difficult without application-layer instrumentation.
Why prioritize this
Although marked as Medium severity and not yet tracked as actively exploited, this vulnerability should be prioritized for patching because: (1) it affects the near-universal Chrome browser, (2) same-origin policy bypass is a high-impact attack vector used in real-world phishing and malware campaigns, (3) the barrier to exploitation is low (user visitation to a crafted page), and (4) the patch is straightforward and carries minimal risk. Organizations should target patching within 1-2 weeks of release.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible, low-complexity attack requiring user interaction, with high integrity impact (unauthorized modification) but no confidentiality or availability loss in the base vector. The score appropriately captures the real-world risk of a web-based SOP bypass, balancing the ease of exploitation against the requirement for user click-through and the absence of critical system-level compromise.
Frequently asked questions
Will Chrome update automatically for me?
Yes, Chrome on Windows, macOS, and Linux checks for updates automatically and will download version 149.0.7827.53 or later in the background. A notification will appear prompting you to restart your browser. If you'd like to update immediately, go to Chrome menu > Help > About Google Chrome to force a version check and restart.
Could an attacker exploit this without any action from me?
No. An attacker must trick you into visiting a malicious website or page. Simply having Chrome installed is not enough; you must actively navigate to or be redirected to the attacker's crafted HTML page. Avoid clicking links in unsolicited emails or messages, especially from unknown senders.
Is this vulnerability already being exploited in the wild?
No. As of the last official update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed evidence of active exploitation. However, the relatively straightforward nature of the exploit means organizations should not delay patching.
What is the same-origin policy and why does bypassing it matter?
The same-origin policy is a fundamental browser security rule that prevents scripts on one website from accessing data or performing actions on another website without explicit permission. A bypass could allow an attacker to steal your login credentials, read confidential emails, or perform transactions on your behalf on other websites you're logged into.
This analysis is based on official Chromium security advisories and CVE data current as of the publication date. Patch version numbers and affected versions should be verified against the official Google Chrome release notes and security advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this information and recommends consulting official vendor documentation and conducting internal testing before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability