MEDIUM 6.5

CVE-2026-11097: Chrome Android WebView Cross-Origin Data Leak Vulnerability

Google Chrome on Android contains a flaw in how its WebView component handles cross-origin requests, allowing an attacker to trick users into visiting a malicious webpage that leaks sensitive data from other websites the user is logged into. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require the user to be an administrator or to bypass additional security measures. This affects Chrome versions before 149.0.7827.53.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-474
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11097 is a cross-origin data leak vulnerability in Chrome's WebView on Android, rooted in improper handling of same-origin policy enforcement. The WebView implementation fails to adequately isolate data between origin contexts, allowing a remote attacker to exfiltrate sensitive information via a crafted HTML page. The underlying issue is catalogued as CWE-474 (Inappropriate Implementation), indicating a design or logic flaw rather than a classic memory corruption or input validation error. The attack vector is network-based with low complexity and requires user interaction but no special privileges.

Business impact

For organizations managing Android devices that run Chrome or apps embedding Chrome WebView, this vulnerability poses a confidentiality risk. Users' authenticated session data, personal information, or internal web application data visible in the browser could be accessed by attackers if users visit malicious sites. The impact is heightened in Bring Your Own Device (BYOD) environments and for users accessing corporate web applications or cloud services through mobile browsers. Data breaches resulting from this flaw could expose customer PII, trade secrets, or intellectual property.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. Any Android application that embeds Chrome WebView is also vulnerable unless it is updated. This includes the default Chrome browser and third-party apps using the WebView component. Desktop and iOS versions of Chrome are not affected by this specific vulnerability.

Exploitability

The vulnerability has a CVSS score of 6.5 (Medium severity) and is not currently listed on the CISA Known Exploited Vulnerabilities catalog, indicating no widespread active exploitation has been publicly disclosed. However, exploitation requires only a network connection and user interaction—an attacker simply needs to trick a user into visiting a malicious webpage. No complex attack setup, zero-day techniques, or privileged access is required, making it exploitable by attackers with moderate resources once exploitation techniques become public.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. This patch corrects the WebView implementation to properly enforce cross-origin isolation. For enterprise users, ensure that mobile device management (MDM) policies enforce automatic updates or mandate manual updates within a reasonable timeframe. Apps that embed WebView should also be updated if patches are available from their vendors.

Patch guidance

Apply Chrome updates through Google Play Store, which typically delivers updates automatically. Android users should navigate to Chrome settings > About Chrome to check the current version and trigger an automatic update check if needed. Enterprises using MDM solutions (Intune, MobileIron, Jamf, etc.) should configure policies to deploy Chrome version 149.0.7827.53 or later to managed Android devices. Verify patch deployment by confirming device Chrome versions align with the fixed release.

Detection guidance

Monitor for Chrome version compliance across your Android device fleet using MDM reporting tools. Look for Chrome versions older than 149.0.7827.53 and prioritize devices that cannot be automatically updated. On the network level, detect potential exploitation attempts by monitoring for unusual cross-origin requests or data exfiltration patterns in web traffic from mobile devices, though signature-based detection is limited without application-level telemetry. Consider deploying endpoint detection and response (EDR) solutions on Android where feasible to flag suspicious WebView activity.

Why prioritize this

This vulnerability merits prioritization for organizations with significant Android user bases or BYOD programs. Although the CVSS score is Medium and exploit code is not yet public, the low attack complexity and user interaction requirement make it a practical target for opportunistic attackers. The confidentiality impact (data leakage) directly threatens sensitive business information. Prioritize patching devices used by employees accessing internal web applications, customer data, or financial systems.

Risk score, explained

The CVSS v3.1 score of 6.5 reflects a network-accessible vulnerability with high confidentiality impact but no integrity or availability consequences. The requirement for user interaction (clicking a malicious link) reduces the score below 7.0, placing it in the Medium category. The score appropriately captures the real-world risk: while not as severe as remote code execution flaws, the ease of exploitation and sensitivity of data at risk warrant urgent patching.

Frequently asked questions

Will updating Chrome on Android automatically protect my device?

Yes. Chrome on Android auto-updates by default through Google Play Store. Verify your device is connected to the internet and has sufficient storage. You can manually check Settings > Apps > Chrome > About Chrome to force an update check. For managed devices, your organization's MDM policy may enforce mandatory updates.

Does this vulnerability affect iOS or desktop Chrome users?

No. This flaw is specific to Chrome WebView on Android. iOS users use Apple's WebKit engine, and desktop browsers use a different implementation. Only Android Chrome and Android apps embedding WebView are affected.

What should I do if I cannot update immediately?

Until you can patch, limit visits to untrusted websites and avoid clicking suspicious links. Use Chrome's Safe Browsing feature (enabled by default) to block some malicious sites. If your organization allows it, consider using alternative browsers temporarily, though the most secure approach is to patch as soon as possible.

How can an attacker trigger this vulnerability?

An attacker creates a malicious webpage and tricks users into visiting it (via phishing, ads, or social engineering). The malicious page then exploits the WebView flaw to access data from other websites the user is logged into. The user does not need to take additional actions like entering credentials or disabling security features.

This analysis is provided for informational purposes to support vulnerability management and risk prioritization. Information is based on publicly available sources current as of the publication date. Consult Google's official security advisories and your vendor documentation for authoritative guidance. No exploit code or weaponized proof-of-concept is provided. Patch versions and timelines should be verified against official vendor releases before deployment in production environments. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).