CVE-2026-11135: Chrome Autofill Bypass Allows Credential Misdirection
Google Chrome's Autofill feature fails to properly enforce security policies, allowing attackers to trick users into bypassing security controls through specially crafted web pages. An attacker cannot steal data directly, but can manipulate what gets filled into form fields—potentially leading users to submit sensitive information to the wrong destination or trigger unintended actions. The vulnerability requires user interaction (clicking or interacting with the page) and affects Chrome versions before 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11135 is a policy enforcement bypass in the Chromium Autofill subsystem. The vulnerability (CWE-284: Improper Access Control) stems from insufficient validation of autofill policies when processing HTML page content. An unauthenticated remote attacker can craft a malicious HTML page that, when visited by a user, exploits the autofill mechanism to override or circumvent intended access controls. The attack vector is network-based with low complexity, but requires user interaction. The impact is integrity-focused: attackers can modify the information flow without gaining confidentiality access or causing availability disruption. Chromium categorizes this as medium severity.
Business impact
This vulnerability creates risk in scenarios where employees use Chrome for accessing internal systems, banking portals, or form-based workflows. An attacker could craft a convincing phishing page that intercepts and modifies autofilled credentials or sensitive form data, redirecting submissions to attacker-controlled endpoints. While not a direct data theft vector, it amplifies phishing and social engineering campaigns by leveraging browser trust in stored credentials. Organizations relying on Chrome in regulated environments (finance, healthcare, legal) should assess whether this affects compliance posture for data integrity controls.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux. All Chrome versions prior to 149.0.7827.53 are vulnerable. Users of Chromium-based browsers (Edge, Brave, Opera, etc.) may be affected depending on their Chromium version; verify the specific browser vendor's advisory for version alignment. The underlying issue is in the Chromium project, so patch timing varies by downstream vendor.
Exploitability
Exploitation requires social engineering—the attacker must trick a user into visiting a malicious website. The crafted HTML page does the heavy lifting; no client-side exploits, memory corruption, or zero-click mechanisms are involved. This lowers the technical bar but means success depends on user deception. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of widespread active exploitation in the wild as of the last KEV update. However, the straightforward attack pattern (phishing + malicious page) makes it a likely target for opportunistic attackers once patches lag in real-world deployments.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. For enterprise environments, use Chrome update policies to enforce deployment across managed devices. Verify that downstream Chromium-based browsers (Edge, Brave, etc.) have received corresponding patches and schedule updates accordingly. No workarounds exist; patching is the only mitigation.
Patch guidance
Prioritize patch deployment for Chrome within 2–4 weeks of the published date (June 4, 2026). For organizations with auto-update enabled, no manual action is required. For manual update workflows: navigate to Chrome Menu > Help > About Google Chrome, which will check for and install available updates. On Windows, macOS, and Linux, the process is identical. For enterprise deployments using Google Admin Console, create a Chrome update policy targeting version 149.0.7827.53 or newer and communicate the deadline to end users. Test patches in a staging environment first if your organization manages Chrome via group policy or MDM.
Detection guidance
Monitor Chrome version adoption across your environment using endpoint visibility tools (EDR, MDM, asset inventory). Flag any devices running Chrome versions below 149.0.7827.53 for prioritized patching. At the perimeter, monitor for phishing emails or credential-harvesting campaigns that reference autofill functionality or promise form-filling convenience. Browser telemetry (where available) may flag unusual autofill behavior; review Chrome security logs if your organization has enabled incident reporting. No network signatures can reliably detect this exploit class since the attack surface is the rendered HTML page itself.
Why prioritize this
CVSS 6.5 (Medium) with user interaction requirement and no KEV listing keeps this vulnerability moderate in urgency. However, it directly enables phishing and credential misdirection—threats with proven ROI for attackers. The simplicity of the attack (send phishing link, let the browser's trust in autofill do the work) warrants faster patching than the CVSS score alone suggests. Patch within 30 days; prioritize any Chrome instances used for sensitive workflows (banking, HR systems, email access).
Risk score, explained
The CVSS 6.5 score reflects network accessibility, low complexity, user interaction, and integrity-only impact. The score appropriately penalizes the requirement for user deception but does not amplify the social engineering dimension. In real-world risk modeling, factor in your organization's phishing susceptibility, reliance on autofill for sensitive workflows, and the maturity of your end-user security awareness program. Organizations with strong email filtering and user training can tolerate slightly longer patch windows; those with high-risk user populations should prioritize sooner.
Frequently asked questions
Will Chrome automatically update to the patched version?
Yes, if you have automatic updates enabled (the default for most users). Chrome checks for updates roughly every 30 minutes and will prompt you to relaunch the browser when a new version is available. On Windows, macOS, and Linux, you can also manually trigger an update by going to Chrome Menu > Help > About Google Chrome.
Can I be attacked if I never use autofill?
This vulnerability specifically targets the autofill feature. If you have disabled autofill entirely in Chrome settings (Settings > Autofill and passwords > Autofill), the attack surface is significantly reduced. However, disabling autofill is not a substitute for patching, as it's a common and useful feature for many users.
Is this vulnerability being actively exploited?
As of publication, this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed in-the-wild exploitation has been publicly reported. However, the straightforward nature of the attack (phishing + malicious page) makes it an attractive target for attackers once it becomes public knowledge. Do not delay patching based on KEV status.
Which Chromium-based browsers are affected?
The vulnerability is in the Chromium project itself, so any browser built on Chromium (Chrome, Edge, Brave, Opera, etc.) is potentially affected. Check your browser vendor's security advisory for the patched version number, as release cycles differ across vendors. For example, Microsoft Edge may patch on a different schedule than Google Chrome.
This analysis is based on official CVE data and vendor security advisories as of the publication date (June 4, 2026). Patch version numbers and availability should be verified directly with Google's Chrome release notes and your organization's update channels. This vulnerability requires user interaction (visiting a malicious page) and is not a remote code execution or zero-day concern. No active exploitation has been confirmed as of the KEV publication date; however, absence from the KEV catalog does not guarantee safety and should not delay patching. For mission-critical systems or high-risk user populations, apply patches within 30 days of release. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability