CVE-2026-11032: Chrome Password Manager Cross-Origin Data Leak
Google Chrome's Password Manager contained a flaw that could allow an attacker to trick users into visiting a malicious webpage and leak sensitive data from other websites the user visits. The vulnerability requires user interaction—visiting a crafted HTML page—but once triggered, could expose cross-origin information that should remain isolated between websites. This affects Chrome on Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11032 stems from an inappropriate implementation in Chrome's Password Manager that fails to properly enforce cross-origin isolation boundaries. An attacker can craft a malicious HTML page that, when visited by a user, exploits this flaw to read or exfiltrate data from other origins. The vulnerability is classified under CWE-346 (Origin Validation Error) and carries a CVSS 3.1 score of 6.5 (Medium severity). The attack vector is network-based with low complexity; however, it requires user interaction and does not grant write access or cause availability impact—the threat is confined to confidentiality breaches.
Business impact
A successful exploit could compromise user passwords, authentication tokens, or other sensitive data managed or stored within Chrome's Password Manager when the user visits an attacker-controlled website. For organizations where employees use Chrome with synced credentials, this represents a pathway to credential theft that bypasses traditional perimeter controls. The reliance on user interaction (visiting a malicious page) limits mass exploitation but increases risk in targeted phishing campaigns. Organizations should assess whether their security awareness training adequately covers the risk of visiting untrusted websites, even in casual browsing contexts.
Affected systems
Chrome versions prior to 149.0.7827.53 on all major platforms (Windows, macOS, Linux) are vulnerable. The Password Manager feature in Chrome is the affected component; users who do not use Chrome's Password Manager or who have disabled it may face reduced risk, though complete isolation is not guaranteed. The vulnerability is not platform-specific; it affects Chrome installations uniformly across operating systems.
Exploitability
The attack requires a user to visit a crafted webpage, making it exploitable only through social engineering or redirect attacks. An attacker cannot remotely trigger the vulnerability without user interaction. However, the barrier to exploitation is low once a user lands on the malicious page—no additional user actions, prompts, or browser configuration changes are required. The attack is deterministic and does not depend on system-specific conditions or race conditions. Active exploitation in the wild has not been confirmed as of the vulnerability publication date.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all platforms (Windows, macOS, Linux). Since Chrome typically updates automatically, most users should receive the patch within days of release. System administrators managing Chrome deployments should verify that auto-update policies are not blocked and confirm deployment of the patched version across their environment. No workarounds short of disabling the Password Manager feature are recommended, as the flaw is fundamental to the feature's implementation.
Patch guidance
Verify that Chrome has auto-updated to 149.0.7827.53 or later. Users can check their version in Chrome Settings > About Chrome; the browser will automatically apply updates after restart. Enterprise administrators should reference Google's Chrome Enterprise release notes for deployment timelines and confirmation of patch availability in their managed environments. If Chrome auto-updates are disabled via group policy or other means, administrators must manually trigger updates or adjust policies to allow automatic patching. No staged rollout or compatibility issues with this patch have been reported.
Detection guidance
Endpoint monitoring should confirm Chrome version compliance with 149.0.7827.53 or later across managed devices. Organizations using Chrome in enterprise environments can leverage Chrome's built-in reporting features (Chrome Enterprise) to audit version status. Network-based detection of exploit attempts is difficult because the attack occurs client-side within the browser; focus instead on version inventory and user education. Monitor for suspicious usage patterns in Password Manager (unusual credential access or exfiltration), though such signals may be difficult to isolate without application-level logging in Chrome.
Why prioritize this
Although the CVSS score is Medium (6.5), this vulnerability warrants prompt patching due to its direct threat to credential confidentiality. Password Managers are high-value targets because they centralize access to sensitive authentication material. The attack vector is remote and requires only user interaction, not authentication or special privileges. However, the absence of confirmed active exploitation and the availability of an immediate patch reduce urgency compared to critical or actively exploited flaws. Organizations should prioritize this within a 30-day window, aligned with standard patch management SLAs for Medium-severity browser vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a Medium severity due to high confidentiality impact (data disclosure) balanced against the requirement for user interaction and the absence of integrity or availability impact. The network attack vector and low complexity increase the base score, while the UI requirement (visiting a crafted page) and scope limitation (no cross-privilege boundary) prevent it from reaching High severity. This scoring appropriately captures the real-world risk: a meaningful but not catastrophic threat that depends on user behavior.
Frequently asked questions
If I use Chrome's Password Manager, am I automatically vulnerable?
Users of Chrome versions prior to 149.0.7827.53 are vulnerable if they visit a malicious webpage crafted to exploit this flaw. Simply using the Password Manager does not expose you; the attacker must trick you into visiting the malicious page. Updating Chrome eliminates the vulnerability.
Can this vulnerability be exploited without me knowing?
The exploit requires you to visit a specific malicious webpage. You will not receive a notification or see an obvious sign of attack in most cases. This is why staying current with Chrome updates and maintaining security awareness about phishing and malicious links is critical.
Does this affect other password managers or browsers?
This vulnerability is specific to Google Chrome's Password Manager implementation. Other browsers and password managers have separate code bases and are not affected by this particular flaw, though they may have their own security considerations.
What should enterprise administrators do?
Verify Chrome auto-update policies are enabled and confirm deployment of version 149.0.7827.53 or later across your fleet. Provide user training on recognizing phishing and avoiding untrusted websites. If Chrome auto-updates are disabled, manually push the update or re-enable auto-updates where policy allows.
This analysis is based on vulnerability data published as of June 2026. CVSS scores and severity classifications reflect industry-standard metrics but should be contextualized within your organization's threat model and asset criticality. Patch version numbers and availability are current as of the source data date; verify with Google's official Chrome release notes and your vendor advisories before deployment. This document does not constitute security advice; consult your security team for guidance specific to your infrastructure and risk posture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required