MEDIUM 4.3

CVE-2026-11126: Chrome DevTools Cross-Origin Data Leak via Malicious Extension

A flaw in Google Chrome's Developer Tools (DevTools) allows an attacker to access data from different websites if they can trick a user into installing a malicious browser extension. The vulnerability has a CVSS score of 4.3 (Medium severity) and requires user interaction—specifically, the user must be convinced to install the malicious extension. Once installed, the crafted extension can exploit improper input validation in DevTools to leak cross-origin data that should normally be protected by browser security policies.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11126 stems from an inappropriate implementation in Chrome's DevTools functionality that fails to properly enforce same-origin policy (SOP) controls. The vulnerability is classified under CWE-20 (Improper Input Validation), indicating that DevTools does not adequately validate or sanitize input from extension-provided sources. An attacker-controlled extension can craft requests that cause DevTools to expose sensitive data from other origins to which the user has access. The flaw affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux platforms. While the attack surface is network-accessible (AV:N) and requires no special privileges (PR:N), it mandates user interaction (UI:R)—specifically, the user must install the malicious extension—making it a low-volume but targeted risk vector.

Business impact

Organizations relying on Chrome as their primary browser face a confidentiality risk if employees are social-engineered into installing malicious extensions. Since the vulnerability does not enable code execution or system compromise, the immediate business damage is limited to data leakage. However, if a user installs a malicious extension on a device with access to sensitive applications (email, SaaS platforms, internal tools), an attacker could exfiltrate session tokens, authentication credentials, or sensitive business information visible in those applications' web interfaces. The Medium CVSS score reflects the relatively low likelihood of exploitation in practice—successful attacks depend on convincing users to bypass Chrome's extension permission warnings, which many users already treat with suspicion.

Affected systems

The vulnerability affects Google Chrome on all major platforms: Windows, macOS, and Linux. Users running Chrome versions 148 and earlier are at risk. The attack is not limited to enterprise deployments; any Chrome user who installs a malicious extension is potentially vulnerable. Organizations should also note that while the vulnerability description specifies Chrome, the vendor/product list includes Apple macOS, Linux, and Microsoft Windows—these entries refer to the operating systems on which vulnerable Chrome versions run, not independent flaws in those operating systems themselves.

Exploitability

Exploitability is constrained but practical. An attacker must convince a user to install a malicious extension, which typically involves social engineering via phishing, trojanized download sites, or compromised app stores. Users who are unfamiliar with Chrome's extension permission system or who are already disposed to trust extensions (e.g., from seemingly official sources) are at higher risk. Once installed, the extension automatically gains the ability to interact with DevTools, and no further user action is needed for data exfiltration. The attack does not require network privileges or authentication. However, the vulnerability does not permit remote code execution, system compromise, or privilege escalation—impact is strictly confidentiality of cross-origin data.

Remediation

Users should immediately update Chrome to version 149.0.7827.53 or later. Organizations should communicate the availability of this patch to end users and encourage prompt adoption. Administrators using Chrome in an enterprise environment can use group policy or mobile device management (MDM) settings to enforce automatic updates or to restrict extension installation to a curated allow-list. Additionally, security awareness training should remind users never to install extensions from untrusted sources and to review extension permissions carefully before installation.

Patch guidance

Google Chrome will automatically update to version 149.0.7827.53 or later on most systems; users can verify their current version in Chrome Settings > About Chrome. Organizations may stage rollout of the patch to test compatibility with internal applications and extensions before full deployment. No additional configuration steps are required to remediate this specific vulnerability once the patch is applied. Verify that installed extensions remain functional after patching and that any enterprise-critical extensions continue to operate as expected.

Detection guidance

Detection is challenging at the endpoint level because the exploit occurs entirely within the browser process. However, organizations can monitor for indicators such as: (1) unusual extension installations (compare against approved allow-list), (2) suspicious extension permissions requests in user activity logs or browser telemetry, and (3) network traffic anomalies from browsers attempting to connect to unexpected third-party domains. If Chrome Enterprise or similar logging is in use, review extension installation audit trails for unexpected or unauthorized extensions. Behavioral detection of data exfiltration (large outbound data transfers to unknown destinations during browser sessions) may also provide indirect signals. Most importantly, ensure Chrome versions are current so that the underlying vulnerability is eliminated.

Why prioritize this

While the CVSS score of 4.3 indicates a Medium severity, prioritization should be based on organizational risk tolerance and user population. In environments where Chrome extension policy is strictly enforced and users are trained to avoid untrusted extensions, the practical risk is low. Conversely, in organizations with permissive extension policies or limited security awareness, exploitation is more likely. Because the vulnerability requires user interaction (extension installation) and does not enable code execution, it ranks below Critical or High severity vulnerabilities in most threat models. However, it should not be neglected: in sectors handling sensitive data (finance, healthcare, legal) or where supply-chain attacks targeting extensions are plausible, this vulnerability warrants timely patching within standard maintenance windows.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a Medium severity judgment based on: (1) network-accessible attack vector (AV:N), (2) low attack complexity requiring only social engineering (AC:L), (3) no special privileges required (PR:N), (4) user interaction mandatory—the user must install the extension (UI:R), (5) scope unchanged—the impact is limited to the user's own cross-origin data access (S:U), (6) confidentiality impact limited to low (C:L) because exfiltrated data is already visible to the user in the browser, and (7) no integrity or availability impact (I:N, A:N). The user-interaction requirement and absence of remote code execution prevent a higher score despite the network vector.

Frequently asked questions

Does this vulnerability allow an attacker to install extensions without user consent?

No. The user must explicitly install the extension. However, social engineering, trojanized websites, or compromised extension stores may trick users into doing so. This is why the vulnerability requires a malicious actor to 'convince' the user.

Will a browser security extension or ad blocker protect me from this vulnerability?

Not directly. A security extension cannot prevent DevTools from leaking cross-origin data if a malicious extension is already installed. However, some security tools can help detect or block the installation of suspicious extensions. The best defense is to keep Chrome patched and to install only extensions from trusted sources.

What if I have already installed a malicious extension?

After updating Chrome to version 149.0.7827.53 or later, the underlying vulnerability is patched and the malicious extension's ability to exploit DevTools is eliminated. However, you should still manually review your installed extensions, disable or remove anything unfamiliar or unneeded, and reset your passwords if you suspect credential leakage.

Does this affect Chromium-based browsers like Edge or Brave?

Potentially, if those browsers use an unpatched version of Chromium prior to 149.0.7827.53. Check the specific vendor advisories for Edge, Brave, and other Chromium derivatives for their patching timelines and version numbers.

This analysis is provided for informational purposes and reflects information available as of the publication and modification dates listed. CVSS scores and severity classifications are based on the official CVE record and Chromium security advisory. Organizations should verify patch availability and compatibility with their specific Chrome versions and enterprise policies before deploying updates. No guarantee is made regarding the completeness or accuracy of this analysis. For official vulnerability details, refer to the Google Chrome security advisory and the National Vulnerability Database (NVD). This document does not constitute professional security advice; consult with your internal security team or a qualified cybersecurity professional for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).