CVE-2026-11007: Chrome WebView Cross-Origin Data Leak on Android
A flaw in Google Chrome's WebView on Android allows an attacker who has already compromised Chrome's renderer process to steal sensitive data from other websites. The vulnerability stems from inadequate validation of user-supplied input, making it possible for an attacker to craft a malicious webpage that leaks cross-origin information—data that should remain isolated between websites. While the attacker must first gain control of the renderer process, the subsequent data leakage requires only that a user visit a crafted page, making this a meaningful risk in multi-stage attack chains.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11007 is an input validation flaw (CWE-20) in Chrome's WebView implementation on Android versions prior to 149.0.7827.53. The vulnerability allows a compromised renderer process to bypass same-origin policy protections through insufficient validation of untrusted input, enabling the exfiltration of cross-origin data via a specially crafted HTML page. The renderer sandbox, designed to isolate web content, assumes trusted input handling; this flaw undermines that assumption. The attack requires the renderer process to already be compromised, but once that condition is met, the vulnerability becomes trivially exploitable through passive user interaction.
Business impact
This vulnerability primarily affects Android users of Chrome and organizations that deploy Chrome as a managed browser. In a real-world attack scenario, an adversary would first compromise the renderer process through a separate vulnerability or supply-chain attack, then use this flaw to escalate the breach from a single-site compromise to theft of sensitive cross-origin data—such as authentication tokens, personal information, or corporate data accessed in other tabs. The practical impact depends on what data a user has open simultaneously, but the confidentiality breach is the core concern. Organizations relying on Chrome security posture should prioritize patching to prevent such multi-stage attacks.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are affected. Desktop and iOS versions of Chrome are not mentioned in the advisory and should be verified against official Chromium release notes. The vulnerability is specific to WebView, Chrome's embedded browser component used by many Android applications, meaning the risk extends beyond the Chrome app itself to any application using Chrome WebView for in-app browsing.
Exploitability
Exploitability requires two preconditions: first, the attacker must already control the renderer process (via a separate exploit or compromise), and second, the user must visit a crafted malicious webpage. The CVSS score of 6.5 reflects this—attack vector is network-based and requires no privileges, but user interaction and prior renderer compromise limit real-world attack frequency. This is not a one-click remote code execution; it is a data-leakage vector that amplifies the damage of an existing renderer compromise. The barrier to exploitation is moderate, and the vulnerability is unlikely to be exploited in isolation.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Users can verify their Chrome version in Settings > About Chrome, which will automatically check for and install updates. Organizations managing Android devices should use mobile device management (MDM) solutions to enforce and verify the update across their fleet. For apps embedding WebView, developers should ensure they are using the latest WebView component provided by Google, which receives updates independently of Chrome.
Patch guidance
Google has released Chrome 149.0.7827.53 and later versions with a fix for this vulnerability. Patch deployment should be prioritized for Android devices in use, particularly those with access to sensitive corporate or personal data. Monitor Chromium release notes and your organization's Chrome update dashboard to confirm rollout completion. Verify the fix by checking the Chrome version displayed in the About Chrome menu; automatic background updates may already have applied the patch on many devices.
Detection guidance
Detection of active exploitation is challenging because the attack occurs within the browser sandbox after a renderer compromise. Endpoint detection and response (EDR) tools should monitor for unusual Chrome renderer process behavior, such as unexpected inter-process communication or memory access patterns. Network monitoring may reveal exfiltration of data to attacker-controlled domains following a renderer compromise. Log Chrome update status and version consistency across devices to ensure patches are applied. Browser extension and plugin activity should be audited, as these are common vectors for initial renderer compromise.
Why prioritize this
While the CVSS score is medium (6.5), the practical prioritization should account for the real-world attack scenario: this vulnerability is most dangerous as part of a multi-stage attack chain. Organizations should prioritize patching in environments where users access sensitive data, or where renderer compromise is plausible (e.g., users browse untrusted content or install browser extensions). The vulnerability is not yet on the CISA Known Exploited Vulnerabilities list, suggesting active in-the-wild exploitation is not widespread; however, this should not delay routine patching cycles.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible vulnerability with high confidentiality impact but moderate exploitability complexity due to the renderer compromise prerequisite. The score assumes the renderer is already compromised, which is a reasonable assumption for an attacker chain but not for a standalone attack. Organizations handling highly sensitive data or operating in high-threat environments may consider this a higher practical risk and prioritize accordingly.
Frequently asked questions
Does this vulnerability affect Chrome on Windows, macOS, or Linux?
No. The advisory explicitly specifies WebView on Android prior to version 149.0.7827.53. Desktop versions of Chrome should be checked against the official Chromium release notes to confirm whether they received patches for the same or related issues in the same release cycle.
Can this vulnerability be exploited without first compromising the renderer process?
No. The flaw requires an attacker to already control the renderer process. Exploitation is not a direct remote code execution vector; it is a data leakage technique that amplifies the damage of an existing renderer compromise.
What data can be leaked using this vulnerability?
Any data accessible from cross-origin sites—such as authentication tokens, session cookies, personal information, or corporate data displayed in other browser tabs. The exact scope depends on what sensitive sites or applications a user has open simultaneously.
Is this vulnerability actively exploited in the wild?
As of the published date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation is not yet documented. However, organizations should still prioritize patching as part of routine security maintenance.
This analysis is based on the vulnerability advisory published on 2026-06-04 and modified on 2026-06-17. Patch version numbers, affected product versions, and CVSS scores are derived from official Chromium and Chrome security releases; always verify against the vendor's official advisory before deployment. This vulnerability requires a prior renderer process compromise and is not a standalone remote code execution vector. Exploitation guidance or proof-of-concept code is not provided in this document. Organizations should validate patch applicability within their environment and test before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10938MEDIUMChrome Site Isolation Bypass via Input Validation Flaw