MEDIUM 6.5

CVE-2026-11148: Chrome Android Payment Data Leak Vulnerability

A vulnerability in Google Chrome's payment processing on Android allows a malicious website to steal sensitive information from other websites you've visited or logged into. An attacker would need you to visit their crafted webpage, but requires no special system access. The issue stems from improper handling of cross-origin security boundaries in the Payments API implementation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-352
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11148 is a cross-origin information disclosure vulnerability in the Payments implementation of Chromium/Google Chrome on Android versions prior to 149.0.7827.53. The flaw exploits insufficient validation or isolation when processing payment-related requests, allowing JavaScript executed in one origin to access sensitive data from another origin. The underlying weakness is categorized as CWE-352 (Cross-Site Request Forgery), though the actual impact manifests as data exfiltration rather than unauthorized state-changing operations. The vulnerability requires user interaction (visiting a malicious page) but no authentication or system-level privileges.

Business impact

This vulnerability poses a data confidentiality risk to Chrome users on Android, particularly those who actively use web-based payment services or maintain authenticated sessions across multiple websites. An attacker could extract authentication tokens, session identifiers, or other sensitive cross-origin data through a deceptive redirect or embedded malicious website. While not directly enabling account takeover or system compromise, the leaked information could facilitate credential stuffing, phishing follow-ups, or reconnaissance for more targeted attacks. Organizations should consider this in risk assessments for BYOD and employee mobile device policies.

Affected systems

Google Chrome on Android devices running versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the Payments API implementation and is most relevant to users who interact with web-based payment workflows. Desktop and iOS versions of Chrome are not mentioned in the advisory. Users on Android 11 and later who have updated Chrome to 149.0.7827.53 or higher are not vulnerable.

Exploitability

Exploitability is moderate. An attacker must craft a malicious HTML page and convince a user to visit it, typically through social engineering, phishing emails, or ad networks. Once the user loads the page, the attack is automatic and requires no additional interaction beyond the initial visit. The attack succeeds when the target has active sessions or stored credentials in other browser tabs or windows. No zero-click exploitation, network-level privilege escalation, or authentication bypass is required, making this a practical concern for targeted or mass-distribution attacks.

Remediation

Users should update Google Chrome on Android to version 149.0.7827.53 or later. This patch addresses the improper payment implementation and restores proper cross-origin isolation. For organizations managing Android devices through Mobile Device Management (MDM) solutions, enforce automatic Chrome updates or push the minimum version 149.0.7827.53. Users unable to update immediately should avoid clicking untrusted links and disable third-party cookies in Chrome settings as a partial mitigation.

Patch guidance

Verify against Google's official Chrome release notes and security advisories that version 149.0.7827.53 or later is installed on Android devices. Chrome for Android typically updates automatically when connected to Wi-Fi; confirm automatic updates are enabled in device settings. For enterprise deployments, configure MDM policies to enforce the minimum version. Test any critical web-based payment workflows after patching to ensure no regressions in legitimate functionality.

Detection guidance

Monitor Chrome version compliance on Android devices using MDM or security agent telemetry. Flag devices running versions below 149.0.7827.53. Network-level detection is limited since the vulnerability involves legitimate payment API calls; focus on user education to recognize phishing attempts and malicious websites. Review authentication logs for unexpected token usage patterns or unusual geographic or device-based access from users' accounts, which may indicate successful cross-origin data leakage.

Why prioritize this

Assign this vulnerability medium-to-high priority in your Android device patching schedule. While the CVSS score of 6.5 reflects medium severity, the practical exploitability and the risk of credential theft in mobile banking and payment scenarios justify prompt remediation. Unlike many medium-severity issues, this one has clear real-world attack paths and affects a widely-used application on a major platform. Prioritize patching for devices belonging to users with high-value accounts or frequent payment activities.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects: Network-exploitable attack vector, low complexity, no privilege requirements, and user interaction needed (visiting a malicious page). The attack breaks confidentiality of cross-origin data but does not enable integrity violation or denial of service. The score appropriately captures the data leak risk; however, organizations handling sensitive payment data or users with valuable accounts may justify treating this as high-priority regardless of the base score.

Frequently asked questions

Can this vulnerability steal my passwords directly?

No, it does not automatically extract passwords. However, it can leak session tokens, authentication cookies, or other sensitive data from other websites you have open. An attacker could use this leaked data to bypass authentication or impersonate you on those sites, so the practical impact is similar to a credential compromise.

I use Chrome on my iPhone or desktop. Am I affected?

This vulnerability is specific to Chrome on Android. Desktop Chrome and iOS Chrome are not affected. However, you should still keep all browsers updated for protection against other vulnerabilities.

What is the difference between this and a typical cross-site scripting (XSS) attack?

XSS occurs when untrusted code is injected into a legitimate website. This vulnerability is different—it's a flaw in Chrome's Payments API that allows a site you visit to illegally peek at data from other sites, without requiring those other sites to be compromised. It's a browser implementation bug, not a web application vulnerability.

If I avoid visiting suspicious websites, am I safe?

Largely yes, but the risk cannot be eliminated entirely without patching. Malicious sites can be advertised, shared in trusted contexts, or injected through compromised legitimate ads. Patching is the only reliable mitigation. In the interim, disabling third-party cookies and using browser security features provides limited defense.

This analysis is based on publicly available information from Google's security advisory and the CVE database as of the publication date. Organizations should verify patch availability and compatibility with their specific Chrome and Android versions before deployment. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but that status may change. Always consult official vendor advisories for the most current information and test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).