MEDIUM 6.5

CVE-2026-11069: Chrome Same-Origin Policy Bypass in Cast Feature – Medium Severity Patch

Google Chrome versions before 149.0.7827.53 contain a flaw in how the Cast feature validates user input, allowing an attacker to craft a malicious HTML page that bypasses the browser's same-origin policy. If a user visits the attacker's page, it could potentially access or modify data from other websites the user is logged into, though without stealing that data directly. This is a moderate-severity issue affecting Windows, macOS, and Linux users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11069 is an input validation defect (CWE-20) in Chrome's Cast implementation prior to version 149.0.7827.53. The vulnerability permits same-origin policy (SOP) bypass through a specially constructed HTML page served to an unsuspecting user. The attack requires user interaction (visiting the malicious page) and does not result in confidentiality loss, but could enable unauthorized data modification across origins. The Chromium project assigned this a Medium security severity rating.

Business impact

A successful exploit could allow attackers to tamper with user data on trusted websites without the user's knowledge, potentially leading to account compromise, unauthorized transactions, or data corruption. While not a direct data theft vector, the integrity compromise could damage user trust and expose organizations to indirect liability if their web applications are targeted. The requirement for user interaction and the non-confidentiality nature of the threat moderates the business urgency, but timely patching remains important for maintaining security posture.

Affected systems

Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the browser and does not directly impact the underlying operating systems, though all three platforms' Chrome installations require the patch.

Exploitability

Exploitation requires network access and user interaction—specifically, a user must visit an attacker-controlled or compromised website hosting a crafted HTML page. No authentication, special privileges, or user configuration changes are needed. The attack vector is classified as remote and has low attack complexity, making it straightforward to deliver, though the reliance on user engagement prevents fully passive compromise. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last advisory update.

Remediation

Organizations should prioritize updating Chrome to version 149.0.7827.53 or later across all endpoints. Google releases Chrome updates automatically on most systems, but administrators should verify deployment through patch management tools. No workarounds are available short of disabling the Cast feature or restricting access to untrusted websites, which are impractical long-term solutions.

Patch guidance

Users and administrators should enable automatic Chrome updates or manually check for updates via Chrome's settings menu (Help > About Google Chrome). Verify that Chrome reports version 149.0.7827.53 or higher. For organizations with managed deployments, confirm that the ChromeOS update and Windows/macOS management policies push the latest version to all devices. Test critical web applications after patching to ensure compatibility, though this patch addresses a security defect and should not cause functional regression.

Detection guidance

Monitor Chrome version compliance through endpoint management tools to identify systems not yet running 149.0.7827.53 or later. For web application defenders, implement Content Security Policy (CSP) headers to restrict cross-origin resource sharing and monitor for unusual same-origin violations in browser logs. Network-based detection is limited, as the attack payload is delivered via standard HTTP/HTTPS requests; focus detection efforts on identifying users visiting known malicious or compromised sites through threat intelligence feeds.

Why prioritize this

While the CVSS score of 6.5 (Medium) reflects the integrity-focused nature of the threat and the user interaction requirement, the widespread use of Chrome across enterprise and consumer bases, combined with the ease of delivering the exploit, warrants prompt patching. The vulnerability affects millions of systems and does not require sophisticated attacker skills, making it a candidate for opportunistic exploitation if public details or proof-of-concept code emerge.

Risk score, explained

The CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) yields a score of 6.5 (Medium). Network attack vector and low complexity reflect easy delivery; the requirement for user interaction (UI:R) prevents a higher score. The lack of confidentiality impact (C:N) and scope unchanged (S:U) keep the score moderate, but the high integrity impact (I:H) indicates substantial risk to data trustworthiness. Organizations handling sensitive user data should treat this as a priority patch despite the medium rating.

Frequently asked questions

Does this vulnerability allow an attacker to steal my passwords or credit card data?

No, the vulnerability does not compromise confidentiality. An attacker cannot read or exfiltrate your data through this flaw. However, they could modify data on websites you're logged into, such as changing account settings or posting content on your behalf, which is why timely patching matters.

Do I need to do anything if I have Chrome set to auto-update?

Probably not. Most users have automatic updates enabled, and Chrome will pull version 149.0.7827.53 or later on its normal update schedule. You can manually check by clicking Help > About Google Chrome to see your current version and force an update if desired.

Is this being actively exploited in the wild?

As of the last advisory update, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, meaning there is no confirmed active exploitation in the wild at this time. However, attackers monitor newly disclosed vulnerabilities, so prompt patching reduces the window of risk.

Does this affect Chrome on mobile devices or Chrome OS?

The advisory specifically mentions Chrome on Windows, macOS, and Linux. Chrome on Android and iOS typically receives patches through their respective app stores. ChromeOS devices running affected Chrome versions should receive the patch through Google's automatic update mechanism. Verify your device is running the patched version regardless of platform.

This analysis is provided for informational purposes and reflects publicly available information as of the advisory date. Organizations should verify patch availability and compatibility against their own vendor documentation and security advisories before deploying updates. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Consult vendor security advisories and your security team for definitive remediation guidance. This document does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).