CVE-2026-11023: Chrome Same-Origin Policy Bypass in WebAppInstalls
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles web app installation that allows an attacker who has already compromised the browser's renderer process to bypass the same-origin policy. This means a specially crafted web page could be used to access or modify content from other websites in ways the browser is supposed to prevent. The attacker needs prior renderer compromise, limiting the immediate threat to users, but the bypass itself is reliable once that initial foothold exists.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11023 stems from inappropriate implementation in Chrome's WebAppInstalls functionality. An attacker controlling the compromised renderer process can craft HTML that circumvents same-origin policy (SOP) protections via the web app installation mechanism. The vulnerability is categorized as an improper input validation issue (CWE-20). Chromium's security team assigned it Medium severity. The CVSS 3.1 score of 6.5 reflects high integrity risk with network attack vector and low complexity, but requires user interaction and assumes prior renderer process compromise.
Business impact
Organizations relying on Chrome for web applications face a secondary compromise risk. If an attacker gains initial renderer access through another vulnerability or supply-chain weakness, this flaw enables lateral movement to sensitive cross-origin resources. For SaaS platforms, internal tools, and cloud applications delivered via Chrome, the SOP bypass could allow unauthorized data access or manipulation. However, the requirement for prior renderer compromise significantly narrows the realistic attack surface in practice.
Affected systems
Google Chrome on Windows, macOS, and Linux systems running versions before 149.0.7827.53 are affected. The vulnerability is platform-agnostic; the issue resides in Chrome's cross-platform web app installation code. Users on any of these operating systems must update to the patched version to eliminate the risk.
Exploitability
Exploitation requires two conditions: first, the attacker must already have compromised the renderer process (via a separate vulnerability or attack); second, the user must visit a malicious page while the renderer is compromised. Crafting the HTML payload is likely straightforward, but the dual dependency on prior compromise and user interaction makes this a secondary rather than primary entry point. It is not known to be actively exploited in the wild, as reflected by its exclusion from the Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected platforms. Verify the update has completed by navigating to Chrome Menu > About Google Chrome, which will display the current version. For enterprise deployments, use Chrome's managed update policies to enforce version requirements across managed devices. No workarounds are available; patching is the only mitigation.
Patch guidance
Priority this update for systems where Chrome is used to access sensitive cloud applications or internal web-based tools. Deploy via your standard patch management process or Chrome's auto-update mechanism (enabled by default). Test the update in a non-production environment if you maintain custom Chrome configurations or extensions, to ensure compatibility. Verify successful patching by confirming version 149.0.7827.53 or higher appears in Chrome's version information.
Detection guidance
Monitor for Chrome versions below 149.0.7827.53 in your environment using endpoint detection, device management platforms, or browser-based reporting. Web application firewalls and proxy logs may not directly reveal exploitation of this SOP bypass, since the attack occurs within the renderer after compromise. Focus on detecting the *prior* renderer compromise (malicious script injection, malware, etc.) rather than the SOP bypass itself. Correlate unusual cross-origin requests from Chrome instances with signs of renderer exploitation.
Why prioritize this
Although the CVSS score is moderate (6.5) and exploitation requires prior renderer compromise, the bypass of same-origin policy is a fundamental browser security boundary. Any reliable SOP circumvention warrants rapid patching to prevent chaining with other vulnerabilities. Organizations should prioritize this in regular patch cycles but need not declare it a critical emergency if no renderer compromise is suspected in their environment.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects: Network attack vector (AV:N) and low attack complexity (AC:L) because the malicious page is remote and the HTML is simple to craft; no privilege required (PR:N); user interaction required (UI:R) as the user must visit the page; no confidentiality impact (C:N) but high integrity impact (I:H) since the SOP bypass allows unintended modification of cross-origin content; no availability impact (A:N). The Medium severity appropriately captures that while the SOP bypass is serious, it depends on antecedent renderer compromise.
Frequently asked questions
What is same-origin policy and why does bypassing it matter?
Same-origin policy is a core browser security feature that prevents a webpage from accessing data or manipulating content on other websites without permission. A bypass lets an attacker view or modify sensitive information across domain boundaries—for example, stealing session cookies, exfiltrating form data, or modifying banking pages. SOP is so fundamental that any reliable bypass is treated as a high-priority vulnerability.
Do I need renderer compromise for this vulnerability to matter?
Yes. An attacker must first compromise Chrome's renderer process through a separate vulnerability or social engineering. Once that occurs, they can then use CVE-2026-11023 to amplify that compromise by escaping cross-origin boundaries. This two-stage requirement reduces real-world risk but underscores the importance of defense-in-depth—fix this flaw even if you believe your renderer is secure.
Is this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog?
No. CVE-2026-11023 is not currently listed in CISA's KEV catalog, meaning there is no evidence of active, widespread exploitation in the wild. However, absence from KEV does not mean the vulnerability is harmless; it simply means observed exploitation has not yet been reported.
Can I disable web app installation to avoid this vulnerability?
Disabling web app installation may reduce the attack surface, but it does not eliminate the underlying code flaw. The safest and most complete mitigation is to update Chrome to version 149.0.7827.53 or later. Disabling the feature might be a temporary compensating control only if updating is significantly delayed.
This analysis is based on the vulnerability details published as of June 2026. Exploit code, proof-of-concept details, and real-world attack reports are not included. Organizations should verify patch availability and version numbers against official Google Chrome and vendor security advisories before deploying. This explainer does not constitute professional security advice; consult your security team for deployment decisions. CVSS scores and KEV status reflect information current at analysis time and may change as new data emerges. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11027MEDIUMChrome Glic Input Validation Flaw Enables Cross-Origin Data Leakage