CVE-2026-11001: Google Chrome UI Spoofing in Payments – Patch Now
Google Chrome versions before 149.0.7827.53 contain a flaw in the Payments feature that allows attackers to create a fake user interface through a specially crafted webpage. To exploit this, an attacker would need to trick a user into performing specific interactions—such as clicks or gestures—on the malicious page. The attack does not steal data or crash the browser, but instead deceives the user by making the browser display content that appears to come from a trusted source, when it actually originates from the attacker. This is a medium-severity issue that depends on user interaction to succeed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-290, CWE-451
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from an inappropriate implementation in Chrome's Payments subsystem, classified under CWE-290 (Improper Input Validation) and CWE-451 (User Interface (UI) Misrepresentation of Critical Information). An attacker can craft a malicious HTML page that, when visited by a user who performs targeted UI gestures, triggers UI spoofing—a technique where the attacker's content is visually presented in a way that mimics legitimate browser or payment interface elements. The attack vector is network-based with low attack complexity, but requires user interaction (UI:R). The impact is limited to integrity (I:H), with no confidentiality or availability loss, yielding a CVSS v3.1 score of 6.5 (Medium).
Business impact
UI spoofing in the Payments feature creates risk of fraudulent transactions and credential theft. Users may inadvertently approve payments or enter sensitive information (card details, authentication codes) believing they are interacting with a legitimate payment interface. Organizations relying on Chrome for workforce or customer-facing transactions should consider the reputational and financial risk if users are deceived into authorizing unauthorized payments. The requirement for specific user gestures limits broad exploitation, but targeted phishing campaigns could be effective.
Affected systems
Google Chrome prior to version 149.0.7827.53 is affected. This includes all deployments on Windows, macOS, Linux, Android, and iOS running unpatched versions. Organizations with Chrome deployment policies should prioritize inventory of endpoints and users running vulnerable versions, particularly those handling payment-related workflows or frequent web browsing in untrusted contexts.
Exploitability
Exploitation requires crafting a convincing HTML page and persuading a user to visit it and perform specific UI interactions—a technique common in phishing and social engineering. No authentication is required, and the attack is delivered over the network. However, the dependency on user action and the specificity of the required gestures (versus a one-click exploit) make this a moderate rather than critical exploitability concern. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active in-the-wild exploitation has not yet been widely documented.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches automatically, but users and administrators should verify successful patching, particularly in environments with network or policy-based update restrictions. Verify the update through Chrome's About menu (chrome://settings/help) and confirm the version number matches or exceeds the patched release.
Patch guidance
Verify that your Chrome installations reach version 149.0.7827.53 or higher. For Windows domain environments, use Chrome enterprise policies or Google Admin console to force update checks. On macOS, verify via System Preferences and Safari updates if applicable, or use endpoint management tools to confirm Chrome patch status. Mobile users (iOS/Android) should ensure the Chrome app is updated via their device's app store. Test the update in a pilot group before broad deployment if enterprise policy requires staged rollouts. Confirm patch application by checking Chrome version history and reviewing security update logs.
Detection guidance
Monitor for indicators of exploitation, including unusual payment transaction patterns, user reports of unexpected payment approvals, or suspicious browser behavior during payment workflows. Web proxies and DNS filtering can help identify access to known malicious domains delivering this payload. Endpoint detection and response (EDR) tools may flag suspicious JavaScript execution or unusual Chrome renderer process behavior during payment interactions. Consider logging and alerting on Chrome version mismatches against your organization's patched baseline to identify non-compliant endpoints. User awareness training on phishing and UI spoofing techniques is an effective complementary control.
Why prioritize this
This vulnerability merits prompt patching because it directly impacts the integrity of payment workflows and user trust in the browser. Although it requires user interaction and has a medium CVSS score, the financial and reputational consequences of successful exploitation are significant. The lack of KEV listing suggests active exploitation may not be widespread yet, providing a window to patch proactively. Organizations should prioritize this above low-severity UI bugs but below critical remote code execution flaws.
Risk score, explained
The CVSS v3.1 score of 6.5 reflects moderate risk: network-accessible attack vector with low complexity, but mandatory user interaction requirement and integrity-only impact (no confidentiality or availability loss). The score appropriately captures that while an attacker can deceive users into approving fraudulent payments, they cannot directly steal data, execute code, or deny service. In the context of payment systems, the integrity impact (I:H) is weighted heavily because payment approval is a critical business function.
Frequently asked questions
Could an attacker use this to steal my saved credit cards or passwords?
No. This vulnerability enables UI spoofing—making the browser display a fake payment interface—but does not grant access to stored credentials or payment methods. However, a user deceived by the spoofed UI might manually enter payment details, which would be intercepted by the attacker. Always verify you are on the official payment page before entering sensitive information.
Will I be automatically protected once I update Chrome?
Yes. Chrome's auto-update mechanism will download and install version 149.0.7827.53 or later automatically. However, verify the update has completed by visiting chrome://settings/help. If you use enterprise Chrome policies, your administrator may control update timing; confirm patch status in your organization's compliance tracking system.
If I never make online purchases or use Chrome's Payments feature, am I at risk?
Your risk is lower if you do not engage with payment workflows in Chrome, but you remain exposed to phishing if an attacker crafts a convincing fake interface and tricks you into clicking links. Update Chrome anyway, as the patched version fixes the underlying UI misrepresentation flaw regardless of your payment habits.
Is this vulnerability being actively exploited in the wild?
As of the latest data, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting widespread active exploitation has not been documented. However, this does not guarantee no one is exploiting it; patch promptly rather than waiting for evidence of abuse.
This analysis is based on publicly available vulnerability data and Chromium security advisories as of the modification date (2026-06-17). Version numbers, patch availability, and KEV status reflect data current at publication; verify against Google's official Chrome release notes and security advisories for the latest patch status. No exploit code or proof-of-concept is provided. Organizations should consult with their security team and perform due diligence testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11019MEDIUMChrome Android Payments Domain Spoofing Vulnerability
- CVE-2026-10984MEDIUMGoogle Chrome Android UI Spoofing Vulnerability – Medium Severity
- CVE-2026-0088HIGHAndroid CertInstaller Privilege Escalation
- CVE-2026-0093HIGHAndroid Local Privilege Escalation via Misleading UI—CVSS 7.8
- CVE-2026-0094HIGHAndroid KeyChain Privilege Escalation via UI Misrepresentation
- CVE-2026-0096HIGHAndroid Local Privilege Escalation in ForgetDeviceDialogFragment
- CVE-2019-25718HIGHDräger Infinity Explorer C700 Kiosk Escape Privilege Escalation
- CVE-2026-42674HIGHAdvanced Access Manager Authentication Bypass via URL Encoding