CVE-2026-11178: Chrome WebView Cross-Origin Data Leak on Android – Patch Guidance
A security gap in Chrome's WebView component on Android devices allows attackers to steal sensitive information from websites you visit. By tricking a user into opening a malicious webpage, an attacker can bypass Chrome's normal protections and read data that should be restricted to other websites. This affects Chrome versions before 149.0.7827.53. The vulnerability requires user interaction—someone must click a link or open a malicious page—but doesn't require special privileges or advanced technical setup.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11178 exploits insufficient policy enforcement within WebView, the embedded browser component used by Chrome on Android. The vulnerability stems from a cross-origin policy bypass (CWE-346) that permits a remote attacker to exfiltrate data across origin boundaries via a crafted HTML page. The attack vector is network-based with low complexity; the user must engage with the malicious content (e.g., click a link or visit a page), but no authentication or special Android privileges are required. The Chromium security team classified this as Medium severity due to limited confidentiality impact and the requirement for user interaction.
Business impact
For organizations with users accessing corporate resources through Chrome on Android devices, this vulnerability presents a data confidentiality risk. If an employee visits a malicious website while using a work or personal device to access company web applications, an attacker could potentially steal session tokens, authentication credentials, or sensitive business data cached in the browser. The risk is particularly acute in bring-your-own-device (BYOD) environments and for organizations relying on web-based SaaS platforms. However, the requirement for active user interaction and the Medium CVSS score mean this is not an immediate, system-wide compromise vector.
Affected systems
Google Chrome on Android devices running version 149.0.7827.52 and earlier are vulnerable. WebView is a core component embedded in Chrome and used by many third-party Android applications, so the reach extends beyond standalone Chrome usage. Users on tablets and smartphones are at risk. Desktop Chrome versions are unaffected. Organizations should verify which Android versions and Chrome releases are in use across their device fleet.
Exploitability
Exploitation requires a user to visit a malicious website or click a crafted link. The attack does not require the victim to install additional software, grant unusual permissions, or compromise their device. Social engineering, phishing emails, or advertisement networks could deliver the payload. No known public exploits have been listed in CISA's Known Exploited Vulnerabilities catalog as of the last update, and Chromium's Medium classification reflects that the attack surface, while real, is constrained by the need for user interaction and limited to confidentiality impact.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Users should enable automatic updates in the Google Play Store settings. Organizations managing Android devices via Mobile Device Management (MDM) solutions should push the Chrome update through their management console. Additionally, educate users to avoid clicking suspicious links and to be cautious when visiting unfamiliar websites, particularly those offering unexpected or unsolicited content.
Patch guidance
Check the Google Chrome version installed on Android devices via Settings > About Chrome; the system will indicate whether updates are available and can initiate installation immediately. For enterprise environments, verify that device management policies allow Chrome auto-updates or manually deploy the update via your MDM platform. Confirm that the installed version displays 149.0.7827.53 or higher. Third-party applications that bundle WebView should also be checked, as some may have independent update cycles; consult their respective app stores or vendor advisories.
Detection guidance
Network and endpoint monitors should track Chrome version distributions across Android devices to identify stragglers. On-device telemetry from MDM solutions can flag devices with Chrome versions prior to 149.0.7827.53. Web traffic analysis may reveal suspicious HTML payloads or unusual cross-origin data requests, though this is challenging given the volume of legitimate browser activity. Phishing and email security controls should be tuned to detect links to known malicious domains or spoofed internal sites that might serve as attack platforms. Monitor for unusual data exfiltration from web sessions.
Why prioritize this
While the CVSS score of 4.3 reflects a Medium-severity vulnerability, organizations should prioritize patching because Chrome on Android is ubiquitous, WebView is embedded in numerous third-party applications, and mobile devices often store cached credentials and session tokens. The exploit requires only user interaction, which is a common attack vector. The lack of KEV status indicates no widespread active exploitation has been publicly reported, affording a window to patch before attackers weaponize this vulnerability at scale. Mobile device security is frequently a weak point in enterprise defense; this patch is relatively low-friction to deploy.
Risk score, explained
The CVSS v3.1 score of 4.3 (Medium) reflects a network-accessible vulnerability requiring user interaction with low attack complexity. The impact is strictly confidentiality (data leak); there is no integrity or availability component. The scope is unchanged (impact is confined to the user's security context). The score appropriately reflects that the attack is feasible but not trivial, and that damage is limited to information disclosure rather than system compromise or data modification.
Frequently asked questions
Does this vulnerability affect Chrome on Windows, macOS, or Linux?
No. CVE-2026-11178 is specific to Chrome on Android. Desktop versions of Chrome are not vulnerable. If you use Chrome on a computer, you are not at risk from this particular flaw, though you should keep all browsers and applications patched as part of routine security hygiene.
Can this vulnerability be exploited without user action?
No. The attacker must convince or trick the user into visiting a malicious website or clicking a malicious link. Simply having Chrome installed and browsing legitimate sites does not expose you to this vulnerability. However, users should remain vigilant against phishing and suspicious links, as this attack vector is relied upon.
Are third-party Android browsers affected?
Only Chrome and applications that use Chrome's WebView component are affected. Other browsers like Firefox, Edge, or Samsung Internet maintain their own rendering engines and are not vulnerable to this specific flaw. However, many Android apps embed WebView for rendering web content, so third-party application developers should ensure their apps use updated system WebView.
What should I do if I cannot update Chrome immediately?
Minimize the risk by avoiding suspicious websites and links. Do not click links from unknown senders, be cautious with public Wi-Fi, and consider using a separate device for sensitive transactions until you can patch. If you manage a fleet of devices, prioritize Chrome updates in your MDM deployment. If updating is blocked by technical issues, contact your IT support team to resolve blockers quickly.
This analysis is based on publicly disclosed vulnerability data and vendor advisories as of the publication date. CVSS scores and severity ratings reflect the vendor's assessment and may be updated as additional information emerges. Organizations should verify patch availability and compatibility with their specific Chrome versions and Android deployments before deployment. This document does not constitute legal or compliance advice. Security teams should assess risk within the context of their own threat model and asset inventory. For the most current patching information, consult the official Google Chrome security updates page and your device manufacturer's support resources. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass