CVE-2026-11161: Chrome DataTransfer Cross-Origin Data Leak
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how it handles cross-origin data transfers. An attacker can craft a malicious HTML page that, when visited by a user, leaks sensitive information from websites the user is logged into or has visited. The vulnerability requires user interaction (clicking or visiting the page) but does not require special browser permissions or user sophistication to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in DataTransfer in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11161 stems from an inappropriate implementation in Chrome's DataTransfer mechanism, which governs how data moves between different security origins in the browser. The vulnerability is classified as CWE-346 (Origin Validation Error), indicating that Chrome fails to properly validate or enforce origin boundaries during data transfer operations. An attacker-controlled HTML page can be weaponized to exfiltrate cross-origin data by exploiting this validation gap. The Chromium project assigned this a Medium severity rating, reflecting the need for user interaction and the limited scope of exposure per successful attack.
Business impact
Data leakage through cross-origin data transfer bypasses the same-origin policy, a cornerstone of web application security. For organizations, this means credentials, session tokens, personal information, or confidential business data visible in a user's browser could be accessed by malicious websites. The impact scales with the sensitivity of data users access in their browsers—financial services, healthcare platforms, and internal tools are particularly at risk. Each successful exploit affects only the targeted user's session, limiting mass-compromise potential but creating targeted phishing and supply-chain attack vectors.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. While the CVE references Chrome, the underlying Chromium project serves as the foundation for multiple Chromium-based browsers (Edge, Opera, Brave, etc.); organizations should verify patch status across all Chromium derivatives in their environment. Users on older Chrome release channels (Extended Stable, etc.) may lag behind standard updates.
Exploitability
Exploitation requires user interaction—a victim must visit or interact with an attacker-controlled webpage. No user authentication bypass, plugin installation, or elevated privileges are needed. The attack is network-accessible and straightforward to deploy via malicious links in phishing emails, compromised websites, or watering hole attacks. While not trivially exploited in the wild without a functional payload, the attack surface is broad given Chrome's ubiquity and the prevalence of web browsing. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited active exploitation in the public domain as of the publication date.
Remediation
Users and administrators must update Google Chrome to version 149.0.7827.53 or later. Chromium-based browsers (Edge, Brave, Opera) should be checked for analogous patched versions, as they may bundle the same vulnerable code. Browser auto-update mechanisms on Windows and macOS will deliver patches automatically, but administrators managing locked-down deployments should verify patch deployment through their distribution channels. No workarounds exist; patching is the only mitigation.
Patch guidance
Update Chrome via Settings > About Chrome, which will automatically download and install the latest version (149.0.7827.53 or newer) and prompt for restart. For enterprise deployments, verify patch status through Chrome Enterprise console or device management systems. If your organization uses Chromium-based alternatives (Edge, Brave), check their respective vendor advisories for patch availability and version numbers. Prioritize patching for users who access sensitive web applications or internal services in their browsers.
Detection guidance
Monitor for Chrome version drift in your environment using endpoint management tools or browser telemetry. Alert on users running Chrome versions below 149.0.7827.53. Analyze web logs for unusual cross-origin requests or data exfiltration patterns, though this vulnerability does not create obvious network signatures. Deploy web filtering to block known phishing campaigns that may exploit this flaw. Track CISA advisories and vendor security bulletins for indicators of active exploitation.
Why prioritize this
While the CVSS score of 4.3 reflects a Medium severity, the broad deployment of Chrome, the simplicity of the attack vector, and the potential for targeted data exfiltration warrant prompt patching. Organizations with high-value users (executives, engineers, financial staff) who access sensitive data in browsers should prioritize this update. The lack of KEV designation suggests this is not yet widely weaponized, providing a window to patch before attacker interest increases.
Risk score, explained
The CVSS 3.1 score of 4.3 (Medium) reflects a network-accessible vulnerability with low attack complexity, requiring only user interaction, and resulting in confidentiality impact without integrity or availability loss. The score appropriately captures the sneaky nature of data leakage—hard to detect and damaging to privacy—while acknowledging the dependency on user interaction and the lack of remote code execution or privilege escalation. For organizations handling sensitive web-based data, the real-world risk may exceed this base score if users regularly interact with untrusted websites.
Frequently asked questions
Can an attacker use this vulnerability to steal my passwords or banking credentials?
Yes. If you are logged into a banking or email account and visit a malicious webpage, the attacker could potentially leak data that your browser holds about those cross-origin sites, including sensitive information visible in the page context. This underscores the importance of not visiting untrusted links and keeping your browser patched.
Do I need to do anything special if I use a Chromium-based browser like Edge or Brave?
Check your browser's version and update settings. Edge, Brave, Opera, and other Chromium derivatives may be affected if they bundle the vulnerable code from the same Chromium release. Verify patch availability from your browser vendor and apply updates promptly. Auto-update is typically enabled by default.
Is my data at risk if I just update Chrome?
Updating to 149.0.7827.53 or later patches the vulnerability on your system. However, you remain vulnerable until you update. Active exploitation in the wild appears limited as of June 2026, but patching should not be delayed. The fix is straightforward and requires only a restart.
How would an attacker even craft a page to exploit this?
An attacker would use knowledge of the DataTransfer implementation flaw to craft HTML or JavaScript that triggers inappropriate data leakage across origin boundaries. They would host this on a server or inject it into compromised websites, then trick users into visiting via phishing, malicious ads, or social engineering. The technical barrier is moderate for skilled attackers familiar with browser internals.
This analysis is based on publicly available information as of June 2026. CVSS scores, patch versions, and KEV status reflect the source data provided and may be subject to change as vendor advisories are updated. Organizations should verify patch availability and applicability within their specific environment before deployment. This explainer does not constitute security advice tailored to your organization; consult your security team and vendor advisories for deployment decisions. No exploit code or weaponization details are provided herein. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11132MEDIUMChrome Same-Origin Policy Bypass in Paint Component