MEDIUM 6.5

CVE-2026-11020: Chrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53

Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-346, CWE-352
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an inappropriate implementation within Chrome's extension framework that fails to properly enforce cross-origin isolation when extensions parse XML content. The flaw allows an attacker to craft XML payloads that, when processed by an extension with insufficient origin-boundary enforcement, expose sensitive HTTP response data or DOM content from cross-origin contexts. The underlying issue relates to improper origin policy validation (CWE-346) and cross-site request forgery or similar boundary confusion (CWE-352). The attack surface is limited to extensions that handle XML file input without adequate sandboxing or cross-origin checks. Chrome's sandbox model normally prevents such leaks, but the extension API's XML handling created an exception that attackers can exploit through social engineering or malicious file distribution.

Business impact

A successful attack could expose sensitive user data—credentials, session tokens, personal information visible in authenticated web sessions—to an attacker. For organizations where employees use Chrome with extensions that handle XML files (document processing, data integration, or configuration management extensions), this creates a risk of unauthorized access to internal systems or data. The impact is heightened in environments where users frequently open files from untrusted sources or where extensions lack adequate vetting. However, the requirement for user interaction significantly limits mass-exploitation scenarios; targeted phishing campaigns or supply-chain compromises of extensions would be necessary for systematic abuse.

Affected systems

Google Chrome on Windows, macOS, and Linux versions prior to 149.0.7827.53 are vulnerable. The vulnerability is specific to Chrome and does not directly affect the underlying operating systems (Windows, macOS, or Linux kernel), though those systems are listed as affected platforms because Chrome runs on them. Users of older Chrome versions who have installed extensions that parse XML content are at risk. Chrome's auto-update mechanism should push version 149.0.7827.53 or later to most users, but those running outdated or pinned versions remain exposed.

Exploitability

Exploitability is moderate. The attack requires a user to open a crafted XML file, but the file can be delivered via email, compromised website, or file-sharing platform. No zero-click exploitation or drive-by download is possible; user action is mandatory. However, social engineering to trigger file opening is practical and commonly effective. The vulnerability does not require authentication, administrator privileges, or network access beyond normal web connectivity. Once a malicious XML file reaches a user with a vulnerable extension installed, exploitation is near-certain if the extension processes the file. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting either limited public exploitation or rapid patching uptake.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update feature will deliver the patch automatically in most environments, but users should verify their version via chrome://version in the address bar. For enterprise deployments, use Chrome's update management policies to ensure rapid distribution. Additionally, audit installed extensions for XML-handling capabilities and consider disabling or replacing those that lack origin-boundary enforcement. Review extension permissions and remove any that request unnecessary cross-origin access.

Patch guidance

Google has released Chrome 149.0.7827.53 with a fix for this extension implementation flaw. Apply the patch as soon as possible through standard Chrome auto-update channels. Organizations using managed Chrome deployments should push the update via their device management platform. No interim workarounds are recommended; the patch is the definitive remedy. Verify successful deployment by checking chrome://version on endpoints and correlating with your fleet management tools.

Detection guidance

Monitor for suspicious XML file handling by extensions. Endpoint detection and response (EDR) tools should flag unusual file access patterns or network exfiltration triggered by extension processes. Check Chrome extension audit logs (where available) for extensions processing XML from untrusted sources. Look for anomalous cross-origin HTTP requests initiated by extensions. In managed environments, enable Chrome Enterprise policies to log extension behavior and alert on policy violations. Browser memory forensics or process monitoring during incident response may reveal the extension and XML file responsible for data leakage.

Why prioritize this

This vulnerability merits timely but not emergency patching due to its CVSS 6.5 (Medium) severity. The attack surface is limited to users with XML-processing extensions and requires social engineering to trigger. However, the nature of the flaw—cross-origin data leakage—and the ease of patch deployment via auto-update make rapid remediation practical and advisable. Organizations with high-risk users (researchers, executives, financial teams) or strict data-protection policies should prioritize patching within days. The absence of public KEV listing indicates controlled exploitation, reducing the immediate threat landscape.

Risk score, explained

CVSS 6.5 reflects a medium-risk vulnerability with high confidentiality impact but no integrity or availability impact. The network-based attack vector (AV:N) and low attack complexity (AC:L) indicate broad reachability, but the requirement for user interaction (UI:R) significantly reduces the exploitability score. The lack of scope change (S:U) means the attacker only accesses the user's own session data or browser context, not other users or system-wide resources. The high confidentiality impact (C:H) justifies the score; an attacker can extract sensitive cross-origin data. This is appropriately classified as medium severity—a concern for enterprises but not a critical emergency requiring all-hands response.

Frequently asked questions

Does this vulnerability affect all Chrome extensions or only specific ones?

Only extensions that handle XML file processing are vulnerable. Extensions that do not process XML or that properly enforce cross-origin boundaries are not affected. However, users may not know which installed extensions are at risk, making a browser update the safest approach.

Can this vulnerability be exploited without user action?

No. The attack requires the user to open or process a malicious XML file. Passive web browsing or auto-loading of files will not trigger the vulnerability. An attacker must use social engineering—email, messaging, or a compromised file repository—to deliver the malicious XML.

Is there a way to detect if my extensions are vulnerable before I patch Chrome?

Not easily, short of examining each extension's source code or contacting the developer. The safest approach is to update Chrome to 149.0.7827.53 and to audit your installed extensions for unnecessary XML-handling capabilities or excessive permissions. Remove or replace extensions you do not actively use.

Will my data be protected if I disable JavaScript in the browser?

Disabling JavaScript might reduce the risk for certain attack scenarios, but it is not a reliable mitigation for this vulnerability. Extension functionality and XML parsing may still occur, and many extensions require JavaScript to function correctly. Patching Chrome is the proper fix.

This analysis is based on information available as of the publication date and reflects the state of knowledge at that time. CVSS scores, patch versions, and affected product lists are derived from official vendor advisories and the National Vulnerability Database. Organizations should verify patch applicability and compatibility within their own environments before deployment. Exploitation details and techniques described herein are for defensive and educational purposes only. SEC.co makes no guarantee of the completeness or real-time accuracy of this intelligence; always consult primary vendor sources and your security team for final remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).