MEDIUM 4.3

CVE-2026-11062: Chrome Extension Policy Bypass Allows Script Injection

Google Chrome versions before 149.0.7827.53 contain a vulnerability in how it enforces policies on browser extensions. An attacker could create a malicious extension that, if installed by a user, would be able to inject malicious scripts or HTML code into sensitive browser pages. While the technical barrier is relatively low (it requires social engineering to trick a user into installing the extension), the impact is limited to tampering with page content rather than stealing data or causing system crashes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-602
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from insufficient policy enforcement in Chrome's extension sandboxing mechanism (CWE-602: Use of Hard-coded Password). A malicious Chrome extension can bypass content security policies and inject arbitrary JavaScript or HTML into privileged browser pages—those normally protected from script injection. The vulnerability affects Chrome on Windows, macOS, and Linux. The attack surface is limited by the requirement that a user must be socially engineered into installing the malicious extension; however, once installed, the attacker gains the ability to modify page rendering and potentially intercept or alter user interactions with sensitive web applications. Chromium rated this as Medium severity.

Business impact

Organizations using Chrome as a standard browser face risk if employees can be tricked into installing extensions from untrusted sources. Attackers could use this to inject phishing content, credential harvesters, or misleading information into legitimate websites—essentially a man-in-the-browser attack for pages rendered in Chrome. Financial services, SaaS platforms, and internal web applications are particularly at risk if the injected content is designed to capture user credentials or manipulate transactions. The impact is heightened in environments where users have elevated privileges or access to sensitive systems through web interfaces.

Affected systems

Google Chrome prior to version 149.0.7827.53 running on Windows, macOS, or Linux is vulnerable. This includes all Chrome-based Chromium distributions. The vulnerability does not appear in the published data to be specific to any particular enterprise or consumer version, suggesting all Chrome users below the patched version are in scope.

Exploitability

Exploitation requires user interaction—specifically, convincing a user to install a malicious extension. This typically involves social engineering (misleading extension store listings, typosquatting, phishing emails with download links, or compromised third-party extension repositories). Once installed, the extension executes with no additional user action needed. The attack vector is network-based and requires no special system privileges. The relatively low barrier to creating and distributing a Chrome extension, combined with the large user base, makes this vulnerability moderately exploitable in campaigns targeting specific organizations or user groups.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches within days; however, verify deployment in your environment. Additionally, enforce policies to restrict extension installation—many organizations use Chrome policies (via Google Admin or third-party MDM solutions) to create an allowlist of approved extensions or to block installation entirely. Educate users on the risks of installing extensions from unknown sources and implement extension approval workflows if feasible.

Patch guidance

Google Chrome 149.0.7827.53 or later addresses this vulnerability. Confirm your current version in Chrome Settings > About Chrome (it will auto-update if newer versions are available). For managed deployments, verify the update is applied across your fleet using your organization's device management system. No other patching is required; the fix is contained in the Chrome browser update itself.

Detection guidance

Monitor for suspicious Chrome extension installations, particularly those installed from non-store sources or with unusual permissions (especially those requesting content script injection on privileged domains). Review Chrome extension audit logs if available through your MDM or browser management system. Look for extensions that request broad or unusual permissions, and cross-reference against your organization's approved extension list. On individual endpoints, users can view installed extensions at chrome://extensions. Consider canary deployments of the patched Chrome version to validate stability before broad rollout.

Why prioritize this

While this vulnerability carries a CVSS score of 4.3 (Medium), the social engineering barrier and requirement for user action reduce its attractiveness to widespread attackers. However, it poses a credible risk to targeted campaigns against organizations with high-value web applications or sensitive data accessible through browsers. It warrants prompt patching but is not critical; patching should be coordinated within your standard update cycle (typically weeks, not days, unless targeting a high-risk user group).

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network attack vector with low complexity and required user interaction, but limited impact (integrity only, no confidentiality or availability impact). The Medium severity designation aligns with Chromium's assessment. The score appropriately penalizes the social engineering requirement while crediting the ability to inject content into privileged pages, which could enable credential theft or transaction manipulation in specific attack scenarios.

Frequently asked questions

Do I need to worry about this if I don't use Chrome?

No. This vulnerability is specific to Google Chrome and Chromium-based browsers (Edge, Brave, Vivaldi, etc. using Chromium). Firefox and Safari users are not affected, though they should ensure their browsers are similarly patched for other vulnerabilities.

Can this vulnerability be exploited without the user installing an extension?

No. The vulnerability explicitly requires the user to install a malicious extension. An attacker cannot exploit it through a malicious website alone; social engineering is a necessary first step. This significantly limits exposure compared to zero-click vulnerabilities.

What kind of data can an attacker steal with this vulnerability?

The vulnerability allows script injection into privileged pages, which could enable credential harvesting, session token theft, or alteration of transaction details in banking or e-commerce applications. However, it does not grant access to Chrome's local storage, cookies via JavaScript, or system files beyond what the extension itself is already permitted to access.

If my organization has disabled extension installation, am I protected?

Yes. If your Chrome policies prohibit extension installation (via Google Admin, Microsoft Intune, or similar), this vulnerability is effectively mitigated because the attack vector—malicious extension installation—is blocked.

This analysis is based on publicly available vulnerability data as of the publication date and is provided for informational purposes. Specific patch version numbers, affected product lists, and CVSS scores are sourced from official CVE and vendor disclosures and should be independently verified before implementing remediation. Organizations should consult Google's official Chrome security advisories and their own risk assessment procedures. This information does not constitute legal or professional security advice; consult your security team or a qualified cybersecurity professional for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).