CVE-2026-11105: Cross-Origin Data Leak in Chrome WebUI
A flaw in Google Chrome's WebUI component fails to properly validate user-supplied input, allowing an attacker who has already compromised Chrome's renderer process to trick the browser into leaking sensitive data from other websites. The vulnerability requires the renderer to be compromised first, which significantly limits the attack surface. Chrome versions before 149.0.7827.53 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11105 stems from insufficient input validation in the WebUI layer of Chromium. An attacker with control over the renderer process can craft a malicious HTML page that bypasses security boundaries and extracts cross-origin data that should remain isolated. The vulnerability is classified as CWE-20 (Improper Input Validation) and carries a CVSS 3.1 score of 6.5 (Medium). The attack vector is network-based with low complexity, requires no privileges, but does demand user interaction and only impacts confidentiality—not integrity or availability.
Business impact
Organizations relying on Chrome for sensitive web-based workflows face a potential data exposure risk if renderer compromises occur in their environment. The prerequisite of a compromised renderer process means this is typically part of a multi-stage attack chain, rather than a standalone vulnerability. However, once the renderer is compromised, any sensitive data in the user's browsing context—such as authentication tokens, form data, or third-party service information—becomes accessible to the attacker. This elevates the value of renderer exploits and underscores the importance of defense-in-depth strategies.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. Chrome runs on multiple operating systems, including Windows, macOS, and Linux, so the exposure is broad across platforms. Users and organizations running outdated Chrome instances are at risk.
Exploitability
Exploitation requires that an attacker has already compromised the Chrome renderer process through another vulnerability or attack method. This is a non-trivial prerequisite, which reduces the standalone exploitability of CVE-2026-11105. However, once the renderer is controlled, triggering the vulnerability is relatively straightforward—the attacker simply needs to serve a crafted HTML page that the user visits. No additional user interaction beyond normal browsing is required beyond the initial click. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting no active in-the-wild exploitation has been publicly documented at this time.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Google has designated this a Medium-severity issue and has included a fix in the specified release. Verify the patched version on all systems running Chrome. Additionally, organizations should reinforce other defenses against renderer compromise—such as sandboxing, process isolation, and Site Isolation features that Chrome provides by default—to reduce the likelihood of the prerequisite condition occurring.
Patch guidance
Deploy Google Chrome 149.0.7827.53 or any subsequent release. Verify the update has been applied by navigating to Chrome's Settings > About Chrome, which will display the currently installed version and automatically check for updates. For enterprise environments, use Chrome policy updates to enforce deployment of the patched version. Test in a non-production environment first, though this patch addresses only a Medium-severity issue and should not introduce breaking changes.
Detection guidance
Monitor for unusual access patterns or cross-origin data exfiltration from Chrome processes in your environment. Examine browser console logs and network traffic for unexpected API calls or data transfers between unrelated domains. If you suspect a renderer has been compromised, look for signs of prior exploitation—such as anomalous child process creation, suspicious plugin/extension behavior, or memory corruption artifacts. Endpoint detection and response (EDR) tools should flag renderer crashes or restarts that could indicate exploitation attempts. Note that this vulnerability alone does not generate obvious network signatures; detection relies on identifying the renderer compromise that precedes it.
Why prioritize this
While the CVSS score is 6.5 (Medium), the requirement for a prior renderer compromise substantially lowers the standalone risk. Organizations should prioritize patching as part of regular Chrome maintenance schedules but should not elevate it above critical business interruption or high-severity vulnerabilities with direct attack vectors. However, if renderer exploits are actively being used in your threat landscape, this vulnerability becomes more relevant because it amplifies the damage from those initial compromises.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-accessible vulnerability with low attack complexity and user interaction required, but significant confidentiality impact. The vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) correctly captures that the vulnerability does not require prior privileges, demands interaction (the user must visit a page), and is scoped to the user's browsing session. The Medium severity is appropriate given the prerequisite of renderer compromise, which CVSS models indirectly through its interaction and complexity factors. Organizations with robust sandboxing and Site Isolation should see reduced real-world risk.
Frequently asked questions
What does 'renderer process' mean and why is it a prerequisite?
Chrome uses a multi-process architecture where each tab or site runs in a separate renderer process for isolation. If that process is compromised—via a separate vulnerability or malware—an attacker can execute code within it. This vulnerability only matters if that precondition exists. In isolation, CVE-2026-11105 cannot be exploited from outside the browser.
Is this a zero-day, and is anyone actively exploiting it?
No. The vulnerability was patched in Chrome 149.0.7827.53 and does not appear on CISA's Known Exploited Vulnerabilities list, so there is no public evidence of active in-the-wild exploitation. It was disclosed and fixed through Google's normal security process.
Which data can be leaked, and from where?
An attacker with a compromised renderer can leak cross-origin data—meaning data from websites other than the one the user is actively viewing. This could include authentication tokens, cookies, form data, or API responses from third-party services the user has visited. The exact scope depends on the attacker's ability to navigate or inject content into those contexts.
Does Chrome's Site Isolation feature protect against this?
Site Isolation is a Chrome hardening feature that isolates each website in its own process. Even if one process is compromised, Site Isolation makes it more difficult to access data from other sites. However, this vulnerability assumes the attacker already has renderer control, so Site Isolation's benefit is in making that initial compromise harder, rather than fully preventing this specific attack.
This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. Security assessments and risk prioritization should account for your organization's specific threat environment, asset criticality, and existing defenses. Always verify patch version numbers and compatibility requirements against the official Google Chrome security advisory before deployment. This vulnerability requires a compromised renderer process to be exploited; patching alone does not eliminate the underlying risk of renderer compromise. SEC.co provides this information for informational purposes and recommends consultation with your security team and vendors for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls