CVE-2026-11084: Chrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
A flaw in Google Chrome's password manager allows attackers to trick users into visiting a specially crafted website that can leak sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the victim must click on or interact with a malicious page—but once triggered, it can expose cross-site information that should normally be protected by browser security boundaries. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346, CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11084 stems from an inappropriate implementation in Chrome's password manager component that fails to properly isolate cross-origin data. An attacker can craft a malicious HTML page that, when accessed by a user, exploits this isolation bypass to read or extract sensitive information from different origins. The vulnerability maps to CWE-346 (Origin Validation Error) and CWE-352 (Cross-Site Request Forgery), indicating that the password manager does not adequately enforce same-origin policy constraints. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects network-based attack delivery, low attack complexity, and high confidentiality impact with no integrity or availability consequences.
Business impact
For enterprises and individual users, this vulnerability represents a moderate but real confidentiality risk. If attackers successfully exploit this flaw against employees or executives, they could harvest password manager metadata or cached authentication tokens, potentially facilitating account takeovers or lateral movement within corporate networks. Organizations relying on Chrome for secure browsing should treat this as a meaningful security event that warrants prompt patching, particularly for sensitive workflows. The requirement for user interaction limits blast radius, but targeted spear-phishing campaigns could effectively trigger the vulnerability at scale.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected on all major operating systems: Windows, macOS, and Linux. This includes desktop deployments across corporate and consumer environments. The vulnerability does not affect the Chrome kernel itself but rather the password manager module bundled with the browser. Users on older or unsupported Chrome versions, or those with automatic updates disabled, face heightened risk.
Exploitability
Active exploitation requires crafting a convincing or deceptive webpage that lures users into visiting it. No authentication, special privileges, or complex exploitation techniques are needed once a user lands on the attacker's site. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting real-world attacks have not yet been widespread or publicly documented. However, the straightforward nature of delivery (via web link) and moderate severity make this a plausible target for threat actors seeking to harvest credentials from high-value targets.
Remediation
Organizations and users should update Google Chrome to version 149.0.7827.53 or later as soon as possible. For enterprise deployments, administrators should verify patch status via Chrome's built-in update mechanism or through mobile device management (MDM) and endpoint management systems. Users can manually check for updates by navigating to Chrome menu > Help > About Google Chrome, which will automatically download and prompt for installation. Staged rollouts are recommended to ensure stability before organization-wide deployment.
Patch guidance
Google has resolved this vulnerability in Chrome 149.0.7827.53. Verify that your deployed version meets or exceeds this release number. Users on auto-update configurations should receive the patch automatically within days of release. For enterprise Chrome deployments, confirm the update policy is enabled and that deployed instances have checked in within a reasonable window. If manual deployment is required, download the latest Chrome installer from Google's official channels and verify the version after installation. Test functionality in your environment, particularly password manager features, before full rollout.
Detection guidance
Monitor Chrome version inventory across your environment using endpoint detection and response (EDR) tools, mobile device management platforms, or software asset management systems to identify instances running versions prior to 149.0.7827.53. Log analysis of web proxy or firewall appliances may reveal suspicious browsing patterns if employees visit unusual or obfuscated domains, though detecting the exploitation itself in logs is difficult without application-level instrumentation. Consider deploying browser isolation or sandboxing solutions for high-risk users to contain potential cross-origin data leakage. Security awareness training emphasizing caution with unexpected links, especially in email, can reduce the likelihood of users triggering the malicious pages.
Why prioritize this
This vulnerability merits prompt but not emergency-level response. The CVSS score of 6.5 (Medium) and requirement for user interaction prevent it from reaching critical status. However, its network-based delivery mechanism, lack of authentication barriers, and potential to compromise password manager state make it a solid candidate for first-wave patching in any organized update cycle. Organizations with high-value employees targeted by sophisticated phishing campaigns or those in regulated industries should prioritize it ahead of lower-severity items. The absence of active exploitation in the wild provides a reasonable window for planning and testing before deployment.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a medium-severity issue with high confidentiality impact but no integrity or availability damage. Network-based attack vector (AV:N) and low complexity (AC:L) mean any online user can be targeted with minimal technical barriers. The requirement for user interaction (UI:R) prevents automatic exploitation and limits scope. High confidentiality (C:H) acknowledges that successful exploitation can leak sensitive cross-origin data, aligning with the password manager context where cached credentials or metadata could be exposed. Unchanged scope (S:U) indicates the compromise remains within the affected component boundary.
Frequently asked questions
Will updating Chrome to 149.0.7827.53 remove any existing leaked data?
No. The patch prevents future exploitation but does not retroactively secure data that may have been exposed before the update. If you suspect your credentials were compromised, consider changing passwords for sensitive accounts, particularly those tied to email or financial services, and monitor account activity for unauthorized access.
Does this vulnerability affect Chrome extensions or other browsers like Chromium-based Edge or Brave?
This vulnerability is specific to Google Chrome's password manager implementation prior to version 149.0.7827.53. Chromium-based browsers like Microsoft Edge or Brave may inherit the patch at different timelines depending on their release cycles. Check each browser vendor's security updates for confirmation.
Can I protect myself without updating if I don't use Chrome's password manager?
If you disable or do not use Chrome's built-in password manager and instead rely on a third-party manager, your exposure is reduced but not eliminated, as the vulnerability could still leak other cross-origin data. Updating remains the safest course of action.
Is there a workaround if I cannot update immediately?
Limit browsing to trusted, well-known websites and avoid clicking on unexpected links, especially from email or chat. Disable Chrome's password manager in Settings > Autofill if you are uncomfortable with the risk, though this does not address the underlying cross-origin leak. However, the most reliable mitigation is to update at your earliest opportunity.
This analysis is provided for informational and educational purposes and reflects publicly available information as of the published date. SEC.co makes no warranty regarding the completeness or accuracy of this content. Vulnerability details, patch timelines, and affected versions may change; consult official vendor advisories and security bulletins for authoritative guidance. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. This document does not constitute legal, compliance, or specific security advice for your organization. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component
- CVE-2026-11129MEDIUMChrome Extension Cross-Origin Data Leak Vulnerability