CVE-2026-11129: Chrome Extension Cross-Origin Data Leak Vulnerability
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles extensions that could allow an attacker to steal sensitive data from websites you visit. An attacker would need to trick you into visiting a malicious webpage, but if successful, they could read information from other sites you have open—potentially including login credentials, private messages, or financial data. This is a medium-severity issue that affects Chrome on Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11129 is a cross-origin data leak vulnerability in the Chrome Extensions implementation (Chromium security severity: Medium). The vulnerability stems from an inappropriate implementation that fails to enforce proper isolation between extension contexts and cross-origin data, allowing a remote attacker to exfiltrate sensitive information via a crafted HTML page. The flaw is classified under CWE-352 (Cross-Site Request Forgery), indicating a weakness in cross-origin request handling or validation. Exploitation requires user interaction (visiting a malicious page) but no authentication or special privileges. The attack surface is broad due to Chrome's ubiquity across operating systems.
Business impact
For organizations, this vulnerability poses a data exfiltration risk if employees use Chrome to access internal applications or cloud services. An attacker could potentially harvest session tokens, API keys, or confidential information from multiple tabs or origins simultaneously. The attack is silent and difficult to detect from the user's perspective. Organizations with strict data governance policies and those handling regulated data (PII, financial records, healthcare information) face elevated compliance and reputational risk until patching is complete. The need for user interaction (visiting a malicious site) somewhat limits the scope compared to fully remote attacks, but phishing and drive-by download campaigns could reliably trigger exploitation.
Affected systems
Google Chrome and Chromium-based browsers running versions prior to 149.0.7827.53 are affected. The vulnerability impacts Chrome on Microsoft Windows, Apple macOS, and Linux systems. Other Chromium-based browsers (such as Edge, Brave, Opera) may also be affected depending on their release cycle and patch status relative to the upstream Chromium fix. Organizations should verify version status across all Chromium derivatives in use.
Exploitability
The attack requires relatively low complexity and can be initiated over the network. A remote attacker must craft a malicious HTML page and convince or trick a user into visiting it—accomplished through phishing emails, compromised advertisements, malicious links, or social engineering. Once a user with Chrome open visits the page, the attacker can begin exfiltrating cross-origin data without additional user consent or interaction beyond the initial page load. The straightforward nature of the attack vector and the commonality of extensions in Chrome installations increase practical exploitability. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack pattern suggests rapid weaponization is likely once public details emerge.
Remediation
Immediately update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically handles this transparently, but administrators should verify completion across their fleet. For enterprise deployments, use Chrome's Group Policy or MDM controls to enforce the minimum version. Additionally, audit which extensions are installed in your environment and disable or remove unnecessary extensions to reduce the attack surface. Consider implementing content security policies and monitoring extension behavior through Chrome's enterprise reporting tools.
Patch guidance
Google Chrome will automatically update to patched versions 149.0.7827.53 and later. Verify the update by navigating to Chrome menu > Help > About Google Chrome; the browser will check for updates and display the current version. Enterprise administrators should confirm patch deployment via their MDM console or Group Policy audit logs. For Chromium-based browsers (Edge, Brave, etc.), check each vendor's release cycle; Microsoft Edge typically receives patches within days of Chromium releases. Ensure all users and machines are running the patched version before considering the vulnerability remediated.
Detection guidance
Monitor for successful exploitation by reviewing Chrome extension audit logs and user browsing history for unexpected cross-origin data access patterns, particularly from lesser-known or recently installed extensions. Implement network-level detection by identifying HTTP requests originating from compromised browsing sessions that access data from unexpected origins. Browser telemetry logs (if enabled in your organization) can reveal extension behavior anomalies. Look for signs of phishing campaigns that might precede exploitation attempts. Security teams should also monitor threat intelligence feeds for proof-of-concept or exploit code targeting CVE-2026-11129.
Why prioritize this
Despite a medium CVSS score of 6.5, this vulnerability merits high prioritization due to the ubiquity of Chrome, the ease of crafting a malicious page, and the sensitivity of data at risk (session tokens, credentials, confidential communications). The requirement for user interaction prevents it from being critical, but the likelihood of successful exploitation via phishing and the silent nature of the attack elevate real-world risk. Organizations handling sensitive data or operating in regulated industries should prioritize patching within one business week.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects: Network-based attack vector (AV:N) requiring no special network conditions (AC:L), no authentication (PR:N), but requiring user interaction to visit a malicious page (UI:R). The impact is confined to confidentiality (C:H)—the attacker can read cross-origin data—with no integrity or availability impact (I:N, A:N). The score appropriately captures the real but not critical risk; user interaction requirement and lack of code execution prevent a higher rating, while the sensitive nature of data at risk justifies the medium-to-higher range within that severity level.
Frequently asked questions
Can this vulnerability steal my passwords directly?
Not directly, but it can leak authentication tokens, session cookies, or API keys stored in browser memory or accessible through cross-origin requests. If your banking or email site is open in another tab, an attacker could read sensitive data from that page. It depends on how the target website stores and exposes authentication credentials.
Do I need to do anything other than update Chrome?
Update Chrome immediately. Beyond that, consider auditing your installed extensions—disable or remove ones you don't recognize or no longer use. Use caution when clicking links in emails or messages, as phishing campaigns may be used to deliver the malicious page. Organizations should ensure their security policies limit exposure to untrusted websites.
Will my antivirus detect this attack?
Antivirus and anti-malware tools may catch the delivery mechanism (e.g., a phishing email or drive-by download page), but the exploit itself is a client-side browser flaw, not traditional malware. Once the user visits the malicious page, the attack occurs within the trusted Chrome process, making detection difficult for endpoint protection. Browser-level logging and network monitoring are more effective.
Is this vulnerability actively being exploited in the wild?
As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, but given the ease of exploitation and the value of stolen cross-origin data, weaponized proof-of-concept code and active attacks are likely to emerge quickly. Monitor security advisories and your organization's threat intelligence feeds for confirmation.
This analysis is provided for informational purposes and represents the judgment of SEC.co security analysts based on publicly available information as of the publication date. CVSS scores, affected product versions, and patch availability are sourced from official vendor advisories and the National Vulnerability Database. No exploit code or weaponized proof-of-concept materials are provided. Organizations should verify patch applicability and compatibility within their own environments and consult vendor documentation for definitive guidance. Actual exploit activity, attack sophistication, and organizational risk may differ based on deployment-specific factors, security posture, and threat model. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and disclaims liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component
- CVE-2026-11134MEDIUMChrome Media Component Cross-Origin Data Leak Vulnerability
- CVE-2026-11139MEDIUMChrome Cross-Origin Data Leak in Paint Implementation
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer