MEDIUM 6.5

CVE-2026-11127: Domain Spoofing in Chrome Android WebAPKs – Patch Guide

Google Chrome on Android contains a flaw in how it handles WebAPKs—web applications packaged as native Android apps—that could allow an attacker to trick users into believing they're visiting a legitimate website when they're actually on a spoofed domain. An attacker would need to craft a malicious WebAPK and get a user to install it, but once active, the spoofing could occur without additional user interaction beyond normal app use. This affects Chrome versions before 149.0.7827.53 on Android.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-358
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in WebAPKs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted WebAPK. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11127 stems from an inappropriate implementation in the WebAPK subsystem of Chromium (Google Chrome's engine). WebAPKs enable developers to package web applications as installable Android apps that run with app-like integration. The vulnerability allows a remote attacker to perform domain spoofing—displaying a different domain to the user than the one actually being loaded—through a crafted WebAPK. The root cause maps to CWE-358 (Improperly Implemented Security-Relevant State Management), suggesting the application fails to properly track or enforce the security context of the displayed domain. The attack requires network access and user interaction (installing the WebAPK), but no privileges.

Business impact

For organizations and enterprises, this vulnerability poses a moderate but real risk to employees using Chrome on Android devices. A well-crafted phishing campaign could distribute a malicious WebAPK disguised as a legitimate company app, then display spoofed internal or partner domains to harvest credentials or trick users into authorizing actions. Mobile-first or BYOD environments face heightened exposure. Financial institutions, SaaS providers, and any organization where users authenticate via mobile Chrome should prioritize this patch to prevent credential theft and account compromise linked to domain spoofing.

Affected systems

The vulnerability affects Google Chrome on Android devices running version 149.0.7827.52 and earlier. While the description references Chrome specifically, the underlying engine is Chromium, so other Chromium-based browsers on Android (such as Edge, Opera, or Samsung Internet, depending on their update cadence) may be similarly affected—verify with those vendors. Desktop Chrome is not affected. The vulnerability requires a user to install and interact with a malicious or compromised WebAPK, so attack surface depends on distribution and user trust in app sources.

Exploitability

Exploitation is moderately straightforward but not trivial. An attacker must first craft a malicious WebAPK, then convince users to install it—either through deceptive distribution (app store impersonation, phishing links, or social engineering) or by compromising a legitimate app developer's build pipeline. Once installed, the spoofing occurs at runtime without further user action. The CVSS score (6.5) reflects this: network-accessible, low complexity, but requires user interaction (installing the app). The flaw is not in the wild per CISA KEV data, but the attack pattern aligns with established phishing and credential-harvesting campaigns.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Google has released patches addressing this WebAPK handling flaw. For organizations managing Android devices via MDM (Mobile Device Management), enforce a minimum Chrome version policy. Additionally, educate users to install apps only from the official Google Play Store and to verify app publisher identity before installation. Monitor for suspicious WebAPK installations or app-store listings impersonating internal tools.

Patch guidance

Google has addressed this vulnerability in Chrome 149.0.7827.53. Verify patch availability and deployment through Google's official Chrome release notes and your organization's update channels. For managed Android environments, use MDM policies to enforce automatic or staged updates. Test patched Chrome versions in a pilot group before broad deployment to ensure compatibility with line-of-business apps and internal web applications. Update timelines: treat this as a standard-priority patch; enterprises should aim to deploy within 30 days but may prioritize faster if mobile access to sensitive systems is prevalent.

Detection guidance

Monitor Android device logs and MDM telemetry for Chrome versions below 149.0.7827.53. Watch for unusual WebAPK installations—particularly those not distributed through Google Play Store or from untrusted sources. Use security awareness simulations to test how employees respond to suspicious app installation prompts. If available, enable Chrome Enterprise device policy logging to flag version mismatches. Incident response should include reviewing user authentication logs for activity shortly after installing unfamiliar WebAPKs, as this pattern may indicate successful credential theft via spoofed domains.

Why prioritize this

While CVSS 6.5 ranks this as medium severity, the integrity impact (I:H in the vector) reflects genuine harm: domain spoofing directly undermines user trust in web identity and enables phishing-based credential theft. The requirement for app installation raises the bar above simple network exploits, but the ease of social engineering app distribution—especially in less-security-aware user populations—warrants prompt patching. Prioritize this for users in finance, healthcare, or other high-value credential targets.

Risk score, explained

CVSS 3.1 score of 6.5 is driven by: network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and high integrity impact (I:H—the user sees a false domain). Confidentiality and availability are unaffected. User interaction is required (UI:R), which moderates the score. The scope is unchanged (S:U). For organizations, adjust this score upward if mobile Chrome is critical to authentication workflows or if your user base is frequently targeted by phishing. Adjust downward if Chrome on Android is heavily restricted or if authentication is enforced via alternative channels (e.g., hardware tokens, push notifications).

Frequently asked questions

Can an attacker exploit this without convincing the user to install an app?

No. The vulnerability requires the user to install the malicious WebAPK. There is no remote code execution or wormable mechanism. The attacker's success depends entirely on social engineering or compromised distribution channels—for instance, phishing emails directing users to a fake app store link, or infiltrating a developer's build system.

Does this affect Chrome on Windows, Mac, or Linux?

No. The vulnerability is specific to WebAPKs on Android. Desktop versions of Chrome and other Chromium-based browsers are not affected. Android is the only platform where WebAPKs are used in this manner.

What is a WebAPK and why should I care?

A WebAPK is a way to package a web application (like a web app or PWA) as a native Android app, allowing it to behave like a standard app with home-screen shortcuts, notifications, and seamless integration. They're convenient but, as this CVE shows, they can be misused. Users should be cautious about installing WebAPKs from untrusted sources and prefer official app store distributions.

Will my organization's MDM automatically patch Chrome if we don't manually push an update?

Typically, Chrome on Android auto-updates through Google Play, but the timing varies by device and user settings. For compliance and security, use MDM policies to enforce a minimum Chrome version and regularly audit installed versions. Do not rely solely on automatic updates for time-sensitive patches—consider staged manual deployment for critical environments.

This analysis is based on publicly available information as of the CVE publication date. Security advisories and patch availability may evolve; verify all patch versions and deployment details against Google's official Chrome release notes and your vendor's security documentation. This content is for informational purposes and does not constitute legal or compliance advice. Conduct your own risk assessment based on your environment, user population, and security posture. Exploit code and weaponized proof-of-concepts are not provided; use this guidance only for defensive and authorized security testing. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).