MEDIUM 6.5

CVE-2026-11048: Chrome Extension Same-Origin Policy Bypass (Medium, 6.5)

Google Chrome versions before 149.0.7827.53 contain a vulnerability in how extensions are handled that could allow a malicious extension to bypass the same-origin policy—a core browser security feature that prevents websites from accessing data across different origins. An attacker would need to trick a user into installing a malicious extension, but once installed, the extension could potentially access or modify content on websites that it shouldn't normally be able to reach. This is a medium-severity issue that affects Chrome on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-346
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11048 stems from an inappropriate implementation in Chrome's extension architecture that fails to properly enforce same-origin policy (SOP) restrictions. The vulnerability is classified under CWE-346 (Origin Validation Error) and allows a crafted malicious extension to circumvent the SOP boundary. The attack vector is network-based with low complexity and requires user interaction (convincing the user to install the extension). The CVSS 3.1 vector (6.5, Medium) indicates the impact is primarily to integrity (high) with no impact on confidentiality or availability. This is a user-initiated social engineering vector rather than a remote code execution flaw—the attacker cannot exploit the vulnerability without initial user action to install the extension.

Business impact

Organizations should be concerned about data integrity and confidentiality risks if users are socially engineered into installing malicious extensions. Once installed, such an extension could exfiltrate credentials, modify sensitive web application content, inject malicious scripts into banking or SaaS platforms, or manipulate user interactions with cloud services. This particularly affects organizations with weak application-layer controls, limited extension governance policies, or users who browse with untrusted or third-party extension sources. Regulated industries handling PII, financial data, or healthcare information face compliance and breach notification obligations if an extension-based attack succeeds.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable across all major operating systems: Windows, macOS, and Linux. Any organization or user running an older version of Chrome is at risk if users can be convinced to install extensions. The vulnerability does not affect Chrome OS, Chromium forks, or other Chromium-based browsers unless they backport the vulnerable code pattern—verify with the vendor for products like Edge, Brave, or Chromium distributions.

Exploitability

Exploitation requires social engineering; there is no unauthenticated remote attack vector. An attacker must convince a user to install a malicious extension from the Chrome Web Store, a sideloaded package, or a lookalike distribution channel. Once installed, the malicious extension automatically gains the capability to bypass same-origin policy for any website the user visits. This makes the vulnerability practical for targeted attacks against specific user populations (employees of a company, members of an organization, subscribers to a service) but less likely for opportunistic mass exploitation. The CVSS score reflects the required user interaction (UI:R) and the fact that impact is limited to integrity rather than confidentiality or system availability.

Remediation

Update Chrome to version 149.0.7827.53 or later. Enable automatic updates in Chrome settings (Settings > About > Google Chrome) to ensure users receive patches without manual intervention. For organizations, enforce Chrome version policies via MDM/EMM solutions and restrict or manage extension installation using Chrome extension allow/block lists. Additionally, consider user awareness training to discourage installation of extensions from untrusted sources and to educate users on the risks of sideloading unsigned or unverified extensions.

Patch guidance

Update to Chrome 149.0.7827.53 or any subsequent release. Google typically rolls out updates automatically; on Windows and macOS, users should see a notification to update within a few days. Linux distributions may receive the patch through their standard package repositories. Enterprise administrators using Chrome Enterprise Licenses can manage update timing and rollout via the Google Admin Console. Verify that the updated version is running via Chrome Settings > About > Google Chrome, which will display the current version number. No configuration changes or workarounds are required; patching is the only mitigation.

Detection guidance

Monitor for Chrome browser versions in use across your environment and flag any installations below version 149.0.7827.53. Use endpoint detection and response (EDR) tools to identify extensions with suspicious permissions (especially those requesting access to all sites or sensitive data). Examine extension installation logs and web proxy logs for unusual extension downloads or installation attempts from non-official sources. If users report unexpected behavior on web applications (content changes, credential reuse failures, or suspicious redirects), investigate recently installed or updated extensions. Network monitoring for extensions establishing connections to unusual or known-malicious C2 infrastructure can provide early warning of exploitation.

Why prioritize this

While the CVSS score is medium (6.5), the actual risk depends on your user base and controls. Organizations with strong extension governance policies, allowlisting of approved extensions, and user training may face lower risk. However, companies with lax policies, users who frequently sideload extensions, or those where Chrome is widely used for sensitive work (accessing cloud platforms, SaaS tools, internal web applications) should prioritize patching. The social engineering requirement means this is lower risk than an unauthenticated remote attack, but the integrity impact on web application interactions makes it material for security teams managing insider risk or supply chain integrity.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects: (1) Network attack vector—the extension can be distributed online, but exploitation still requires user consent; (2) Low attack complexity—once the extension is installed, bypassing SOP is straightforward; (3) No privileges required—any user can install an extension; (4) User interaction required—the attacker must convince the user to install the extension; (5) Unchanged scope—the impact is limited to web content on the user's browser, not the system itself; (6) No confidentiality impact—the attacker cannot directly read data; (7) High integrity impact—the attacker can modify what the user sees or interacts with; (8) No availability impact—the attack does not deny service. The score appropriately penalizes the user-interaction requirement while recognizing the realistic threat of integrity violation in web-based workflows.

Frequently asked questions

Do I need to do anything special to patch this vulnerability?

No. Chrome's automatic update mechanism will deploy version 149.0.7827.53 to your browser automatically. You may see a notification to update or restart Chrome. Simply restart your browser to apply the patch. Enterprise users should verify that their MDM policies allow the update to deploy, or manually check Settings > About > Google Chrome to confirm you are on version 149.0.7827.53 or later.

How does a malicious extension bypass the same-origin policy?

Normally, the same-origin policy prevents a script on example.com from accessing data on example2.com. However, extensions in Chrome have elevated privileges and can request broad permissions (like "access all sites"). This vulnerability stems from improper enforcement of these permissions—a crafted extension could use those broad permissions to read or modify content across any site, even if it shouldn't be allowed to. The patch fixes the validation logic that enforces these permission boundaries.

What should my organization do beyond patching?

Implement a Chrome extension management policy using Chrome Enterprise or MDM to create an allowlist of approved extensions and block others. Train users to only install extensions from the official Chrome Web Store and to be skeptical of requests to install extensions, especially from non-official sources. Regularly audit installed extensions in your environment. Monitor for extensions with suspicious permissions or installation sources.

Will this vulnerability affect me if I use a Chromium-based browser like Microsoft Edge or Brave?

It depends on whether that browser has backported the vulnerable code pattern. Google has patched the issue in Chromium, so updated versions of Edge, Brave, and other Chromium derivatives should eventually receive the fix through their own release cycles. Check the specific browser's security advisories to confirm. This CVE is specific to Google Chrome's release, but the underlying issue affects the Chromium project, so other vendors may be affected.

This analysis is based on the official CVE record and Google Chromium security advisories as of the publication date. Exploit details and real-world weaponization status may change; refer to official vendor advisories and threat intelligence feeds for the latest information. CVSS scores are provided by the CVE record and reflect Chromium's own severity assessment. SEC.co does not provide exploit code or step-by-step attack instructions. Organizations should conduct their own risk assessment based on their specific Chrome deployment, user behavior policies, and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).