MEDIUM 6.5

CVE-2026-11083: Chrome Password Manager Cross-Origin Data Leak Vulnerability

Google Chrome's password manager contained a flaw that could allow an attacker to trick users into leaking sensitive cross-origin data through a specially crafted webpage. The vulnerability requires user interaction—such as visiting a malicious site—but poses a meaningful risk because password managers are trusted to protect sensitive credentials and related information. An attacker exploiting this could potentially access data that should remain isolated between different websites.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-346, CWE-352
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11083 stems from an inappropriate implementation in Chrome's password manager component. The flaw permits cross-origin data leakage via maliciously crafted HTML, classified under CWE-346 (Origin Validation Error) and CWE-352 (Cross-Site Request Forgery). The vulnerability does not require elevated privileges or complex conditions to trigger (AC:L), relies on network-based delivery (AV:N), but does require user interaction (UI:R). The impact is confined to confidentiality (C:H), with no integrity or availability consequences. Chrome versions prior to 149.0.7827.53 are vulnerable across Windows, macOS, and Linux platforms.

Business impact

This vulnerability creates a direct threat to users' credential security and data privacy. If exploited, attackers could harvest sensitive information that users believe is protected by the password manager's cross-origin isolation. For organizations relying on Chrome as a standard browser, this represents a targeted risk to employees' authentication hygiene and could facilitate credential theft or unauthorized access to protected services. The medium CVSS score and user-interaction requirement lower the probability of mass exploitation, but the high confidentiality impact warrants prompt patching.

Affected systems

Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53 are affected. Users of alternative browsers are not directly impacted by this Chrome-specific flaw. Organizations standardizing on Chrome for enterprise use, particularly those with strict password management policies, should prioritize inventory and patching of affected deployments.

Exploitability

Exploitation requires a remote attacker to craft a malicious HTML page and convince a user to visit it—a practical but not trivial social engineering step. No authentication, special network positioning, or exploit chain is needed; the attack surface is broad (anyone with internet access can host a crafted page). However, user awareness and basic security hygiene (avoiding suspicious links) significantly reduce exposure. Public exploit code has not been added to the CISA Known Exploited Vulnerabilities catalog as of the latest data.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected systems. This patch addresses the password manager implementation flaw. Administrators should enforce automatic updates where possible and verify compliance across managed devices. No workarounds are available; patching is the only reliable mitigation.

Patch guidance

Deploy Chrome version 149.0.7827.53 or newer across Windows, macOS, and Linux endpoints. Most users running auto-update enabled will receive the patch automatically; verify that auto-update is active in your environment. For enterprise deployments, use Chrome's group policies or mobile device management (MDM) solutions to enforce the minimum version. Test patch deployment in a non-production environment first to ensure compatibility with internal extensions and authentication mechanisms.

Detection guidance

Monitor Chrome version numbers across your fleet using your endpoint management or asset inventory tools. Log ingestion from Chrome browser telemetry (if enabled) may surface unusual password-manager activity, though direct detection of exploitation attempts is challenging at the network level. Focus detection efforts on identifying users visiting known malicious HTML repositories or suspicious link campaigns targeting your organization. Endpoint Detection and Response (EDR) tools may flag unusual credential-access patterns if the exploit succeeds.

Why prioritize this

Although this vulnerability carries a medium CVSS score and is not yet in active mass exploitation, it directly targets a high-value trust boundary—the password manager—and demands high confidentiality impact. Any data leakage from credential storage erodes user trust and may enable downstream attacks. The ease of delivery (a simple webpage) and low technical barrier to exploitation justify treating this as a priority patch for browser-heavy organizations. Defer to higher-severity vulnerabilities affecting system availability or affecting systems without user interaction, but do not delay this update beyond your standard patch cycle.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects the attack vector (network), low complexity, lack of privilege requirement, and user interaction as input. The high confidentiality impact (C:H) elevates the score; the absence of integrity or availability impact prevents a higher rating. In context, the password manager is a high-value target, making the medium score deceptive relative to business risk. Organizations should treat this as moderate-to-high priority despite the medium label.

Frequently asked questions

Can this vulnerability be exploited without the user visiting a malicious link?

No. The attack requires a user to visit a crafted HTML page, typically hosted by an attacker or injected via a compromised legitimate site. Simply having Chrome installed and auto-updated is insufficient for exploitation.

Does this affect Chrome extensions or third-party password managers integrated with Chrome?

The vulnerability is specific to Chrome's built-in password manager. Third-party password managers (such as 1Password, LastPass, or Bitwarden) are not directly affected, though users who rely on Chrome's native integration should prioritize the patch.

If I use a password manager other than Chrome's built-in tool, am I still at risk?

If you are using a dedicated password manager and Chrome's password manager is disabled or unused, your risk is significantly lower. However, Chrome itself still requires the security patch to prevent other potential misuse.

What should I do if I suspect my credentials have been compromised by this vulnerability?

If you know you visited a suspicious site before patching, consider changing passwords for sensitive accounts and monitoring for unusual account activity. Contact your identity protection service if available. Apply the Chrome patch immediately and enable two-factor authentication where possible.

This analysis is based on publicly available vulnerability data as of the publication and modification dates provided (2026-06-04 to 2026-06-17). Patch version numbers and affected platforms reflect the ground-truth source data and should be verified against Google's official Chrome release notes and security advisories. This assessment does not constitute professional security advice; consult your security team and vendor advisories before deploying patches in production. No exploit code or detailed exploitation techniques are provided in this summary. Risk prioritization should account for your organization's specific Chrome deployment, usage patterns, and overall vulnerability landscape. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).