MEDIUM 6.5

CVE-2026-11128: Chrome Web Share Cross-Origin Data Leak Vulnerability

Google Chrome versions before 149.0.7827.53 contain a flaw in the Web Share feature that allows attackers to steal data from other websites. The vulnerability requires tricking a user into clicking or interacting with elements on a malicious webpage. Once triggered, an attacker can access information from cross-origin sources—essentially reading data they shouldn't have access to. This is a client-side issue affecting individual users rather than servers, and the bar for exploitation is user interaction on a crafted page.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11128 stems from an inappropriate implementation in Chrome's Web Share API, specifically a cross-origin data leak vulnerability. The flaw allows a remote attacker to exfiltrate sensitive cross-origin data when a user performs deliberate UI gestures (such as clicks or form interactions) on an attacker-controlled HTML page. The vulnerability is classified under CWE-20 (Improper Input Validation), though the core issue relates to insufficient boundary enforcement between origins. The CVSS 3.1 score of 6.5 (Medium) reflects network accessibility, low complexity, and high confidentiality impact, though no integrity or availability compromise occurs. Chrome's Chromium project designated this as Medium severity.

Business impact

The primary business risk is data exposure for users of affected Chrome browsers, particularly those accessing sensitive web applications. Organizations with employee populations using Chrome may face indirect risk if internal web tools or SaaS platforms become attack vectors. The confidentiality impact is high for any user targeted by a phishing or watering-hole campaign employing a crafted page. However, the need for active user engagement limits the scale of passive exploitation. Reputation and trust damage could result if an organization's web application is leveraged in such an attack.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected product. The vulnerability affects Chrome on multiple operating systems: Windows, macOS, and Linux. Users running older Chrome versions remain exposed until they update. Notably, the CVE lists Apple macOS and Linux kernel as affected platforms, indicating Chrome's cross-platform nature; the vulnerability is in the browser, not the OS itself.

Exploitability

Exploitation requires social engineering—an attacker must convince a user to visit a malicious webpage and perform specific UI gestures (clicks, selections, form submissions). The attack surface is broad (any website can host the payload), but the barrier to entry is the user's active participation. There is no indication of prerequisite authentication or unusual browser configuration. The vulnerability is likely not trivial to exploit reliably across different user behaviors, but once triggered, the data leak is deterministic. As of the provided data, this CVE is not listed on the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild has not been documented at publication.

Remediation

Organizations should communicate the importance of keeping Chrome updated to version 149.0.7827.53 or later. Enterprise environments using Chrome policy controls (Google Admin Console, Active Directory integration, or third-party MDM solutions) can force automatic updates or require manual patching within a defined maintenance window. Users on personal devices should enable automatic updates in Chrome settings. No workarounds are available; patching is the only mitigation.

Patch guidance

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically rolls out patches within 24–48 hours on most systems; verify your installed version in chrome://settings/help (Chrome will download and apply updates automatically, or show a restart prompt). For enterprise deployments, leverage the GoogleChromeBrowser policy or equivalent platform-specific patch management. Test the patch in a non-production environment if you maintain a controlled Chrome deployment, then schedule a rollout to user populations. Verify successful patching by confirming the version number post-update.

Detection guidance

Detection is primarily user-centric: monitor for suspicious or unexpected prompts to engage with websites, particularly those requesting permission to access clipboard, camera, or microphone data (common in Web Share flows). Network-level detection is challenging since the attack occurs client-side and involves legitimate HTTPS traffic to attacker-controlled domains. Endpoint Detection and Response (EDR) tools may flag unusual Web Share API activity or data exfiltration patterns if configured to monitor process behavior. Consider blocking known malicious domains used in campaigns via DNS filtering or proxy controls. Log user-initiated Chrome updates and version compliance to identify lagging systems.

Why prioritize this

This vulnerability merits moderate-to-high prioritization due to its broad reach (all Chrome users on multiple OS platforms), high confidentiality impact, and network accessibility. However, the requirement for active user interaction and the absence of active exploitation reduce urgency compared to critical or high-severity flaws. Prioritize patching for users handling sensitive data (finance, healthcare, HR) and ensure compliance with security baselines that require current browser versions. Organizations should complete patching within 30 days of release.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible attack with low complexity and no special privileges required, but compensated by the requirement for user interaction. The high confidentiality impact (C:H) is offset by no integrity or availability impact (I:N, A:N). This score appropriately captures the real-world risk: significant for targeted users but not catastrophic enterprise-wide. The absence of KEV status and lack of reported in-the-wild exploitation suggest the vulnerability is being addressed proactively rather than reactively.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. The vulnerability explicitly requires a user to perform specific UI gestures on a crafted webpage—such as clicking, typing, or otherwise interacting with page elements. Passive browsing or automatic page loads do not trigger the flaw.

Does updating Chrome remove all risk, or are other steps needed?

Updating to version 149.0.7827.53 or later fully addresses this specific vulnerability. No additional mitigation steps are required once patched, though maintaining a general security hygiene practice (avoiding suspicious websites, phishing awareness) remains good practice.

Are older Chrome versions on older operating systems (Windows 7, older macOS) still at risk?

Yes. Any Chrome version prior to 149.0.7827.53 on any supported OS (including older Windows or macOS versions that still receive Chrome updates) remains vulnerable. However, Chrome support timelines vary; verify your OS vendor's Chrome support status if running legacy operating systems.

If a user is compromised via this vulnerability, what data is at risk?

The vulnerability allows leakage of cross-origin data—information normally protected by the browser's same-origin policy. This could include session tokens, CSRF tokens, private messages, or other sensitive information from websites the user is logged into. The extent depends on what websites the user visits and their authentication state.

This analysis is based on publicly available data as of the CVE publication date (2026-06-04) and modification date (2026-06-17). Patch version numbers and affected versions are as reported by Google and NIST sources. Organizations should verify compatibility, test patches in non-production environments, and consult vendor advisories for environment-specific guidance. SEC.co assumes no liability for system outages or unintended consequences resulting from patch deployment. This content is for informational purposes and does not constitute professional security advice tailored to individual risk profiles or regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).