MEDIUM 6.5

CVE-2026-11133: Chrome Paint Same-Origin Policy Bypass

A vulnerability in Google Chrome's Paint feature allows attackers to bypass the same-origin policy—a critical browser security boundary—through a specially crafted web page. An attacker could trick a user into visiting a malicious site and potentially access or modify content from another origin without permission. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require special privileges. Chrome versions before 149.0.7827.53 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-346
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11133 stems from insufficient policy enforcement in Chrome's Paint implementation. The same-origin policy (SOP) is a foundational browser security mechanism that isolates scripts and data between different origins, preventing unauthorized cross-origin access. CWE-346 (Origin Validation Error) indicates the application fails to properly validate or enforce origin boundaries. An attacker crafts malicious HTML that exploits this weakness, allowing code execution or data access across origin boundaries. The vulnerability is rated CVSS 6.5 (Medium) with a vector indicating network-based attack, low complexity, and no privileges required—but user interaction is necessary. Chromium has classified this as Medium severity.

Business impact

Successful exploitation could result in unauthorized access to sensitive user data across different web origins, session hijacking, credential theft, or unauthorized modifications to web application state. For enterprises, this threatens the security of web-based applications and user accounts accessed through affected Chrome versions. The requirement for user interaction (clicking a link or visiting a page) limits mass exploitation but remains a practical risk in social engineering or supply-chain scenarios. Organizations relying on SOP as a security control for sensitive web applications should treat this as a priority update.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected product. The vulnerability also impacts Chrome on Windows, macOS, and Linux systems. Organizations should verify their Chrome deployment versions across all endpoints, including enterprise and consumer devices, as well as web applications embedded in or interacting with Chrome.

Exploitability

Exploitability is moderate. The attack requires crafting a malicious HTML page and delivering it to a user—typically through phishing, malicious ads, or compromised websites. No special network position, authentication, or elevated privileges are required. However, the user must visit the attacker's page or interact with it (clicking elements, navigating content) for the exploit to trigger. This makes it practical but not automated or worm-like. No public exploit code or CISA KEV status is currently recorded, reducing imminent real-world risk, though motivated actors may rapidly develop and deploy exploits.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. The update patches the insufficient policy enforcement in Paint. On Windows, macOS, and Linux, use the built-in auto-update mechanism (Chrome typically checks for updates on startup) or manually navigate to Settings > About Chrome to trigger an immediate check. Verify successful patching via Settings > About Chrome, which displays the current version. For enterprise deployments using Google Admin Console, configure auto-update policies and monitor update status across managed devices.

Patch guidance

Patches are available in Chrome 149.0.7827.53 and later releases. Google's auto-update system should deliver the patch automatically to most users within days. Enterprise administrators should verify patch deployment through Google Admin Console reports and confirm version numbers across their fleet. Testing should focus on validating that the same-origin policy is properly enforced and that the Paint feature does not inadvertently allow cross-origin access. No breaking changes or compatibility regressions have been reported.

Detection guidance

Monitor Chrome version numbers across your environment using MDM/EMM solutions or enterprise reporting tools. Look for instances below version 149.0.7827.53. Network-based detection is limited because the attack is client-side and requires user interaction; it manifests as a benign-looking HTML page visit. Endpoint detection should focus on version inventory. If concerned about targeted attacks, monitor for suspicious web traffic to known malicious domains or phishing campaigns that might deliver the exploit page. Web application firewalls cannot effectively block this because the vulnerability is in the browser's policy enforcement, not the network or web server.

Why prioritize this

Prioritize this update because it directly undermines browser-level security isolation (same-origin policy), which protects against unauthorized cross-origin data access and session hijacking. Although the CVSS score is Medium and user interaction is required, the impact on confidentiality and integrity is significant for any web application or service relying on SOP. Rapid patching prevents attackers from weaponizing this against high-value targets. The broad deployment of Chrome across enterprise and consumer devices means delayed patching creates an expanding window of vulnerability.

Risk score, explained

CVSS 6.5 reflects a Medium severity with high integrity impact (I:H, unauthorized modification) but no confidentiality impact in the score vector, moderate attack complexity, and network accessibility. The score appropriately reflects the practical threat: network-based, easy to execute, but requires user interaction. The lack of KEV status indicates CISA has not yet confirmed active exploitation in the wild, but this should not delay patching, as the vulnerability's technical nature (SOP bypass) makes it valuable to attackers. Organizations should treat this as a standard-priority patch to deploy within 2–4 weeks.

Frequently asked questions

Does this vulnerability affect Chrome on all operating systems?

Yes. Google Chrome prior to version 149.0.7827.53 is vulnerable on Windows, macOS, and Linux. Chrome's auto-update mechanism works consistently across all platforms, so patch deployment timelines should be similar.

Can this vulnerability be exploited without user interaction?

No. The attack requires a user to visit a crafted HTML page or interact with content on it. It cannot be exploited remotely without any user action, such as through a drive-by download or automatic execution.

What is the same-origin policy, and why does this vulnerability matter?

The same-origin policy is a core browser security mechanism that restricts scripts from one origin from accessing data from another origin (defined by protocol, domain, and port). This prevents malicious sites from stealing session cookies, login credentials, or sensitive data from other websites. A bypass allows attackers to violate this isolation and access or modify cross-origin content.

Should I prioritize this patch over other pending updates?

This patch should be applied within your standard patch cycle (typically 2–4 weeks for Medium-severity vulnerabilities affecting widely deployed applications like Chrome). If you have a faster update policy for browser vulnerabilities, this qualifies for that track due to its impact on web security boundaries.

This analysis is based on the CVE record and Chromium security advisories as of June 2026. Patch version numbers, affected product versions, and remediation steps should be verified against official Google Chrome security releases and your organization's specific deployment. No exploit code or weaponization details are provided. Organizations should consult their own risk management policies and endpoint management tools to prioritize patching based on their environment, user base, and asset criticality. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).