CVE-2026-11187: Chrome Navigation Restriction Bypass Vulnerability
Google Chrome versions prior to 149.0.7827.53 contain a flaw in the Glic component that allows an attacker to bypass navigation restrictions by tricking users into visiting a specially crafted webpage. The vulnerability requires user interaction (clicking a link or visiting the malicious page) and affects users across Windows, macOS, and Linux platforms. While the immediate impact is moderate, the ability to circumvent navigation safeguards could enable follow-on attacks or unauthorized content access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-284
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11187 stems from an inappropriate implementation in Chrome's Glic component, classified under CWE-284 (Improper Access Control). The vulnerability permits navigation restriction bypass through a crafted HTML page, without requiring elevated privileges. The attack vector is network-based, the attack complexity is low, and user interaction is required. The vulnerability affects confidentiality, integrity, and availability equally. Chrome security classified this as Medium severity, reflected in a CVSS 3.1 score of 6.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Business impact
This vulnerability could allow attackers to circumvent browser-based navigation controls, potentially exposing users to unintended destinations or restricted content. For organizations relying on Chrome's security features to enforce access policies or prevent users from accessing certain sites, this creates a compliance and risk management gap. The need for user interaction limits mass exploitation, but targeted campaigns against high-value users remain feasible. Remediation is straightforward via patching, but any delay leaves users exposed to social engineering and forced-navigation attacks.
Affected systems
Google Chrome on Windows, macOS, and Linux is the primary affected platform. The vulnerability applies to all Chrome installations running version 149.0.7827.52 and earlier. Organizations should inventory Chrome deployments, particularly those in security-sensitive roles or managing restrictive navigation policies. While Chromium-based browsers (Edge, Brave, etc.) may inherit risk depending on their release cadence, the source data explicitly identifies Chrome, Windows, macOS, and Linux kernel as affected vendors/products.
Exploitability
Exploitation requires crafting a malicious HTML page and convincing or tricking a user into visiting it—no special attack infrastructure or zero-day techniques are needed. The low attack complexity and lack of authentication requirements make this straightforward for an attacker to attempt. However, the mandatory user interaction (clicking a link, visiting a site) provides a natural friction point; mass exploitation is less likely than targeted spear-phishing or drive-by-download scenarios. The vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation has not yet been widespread or documented at scale.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all supported platforms. This patch addresses the Glic implementation flaw and restores proper navigation restriction enforcement. Verify the update is deployed across your organization's Chrome fleet, particularly on devices with elevated risk exposure. For enterprises managing Chrome via Mobile Device Management (MDM) or group policy, ensure automatic updates are enabled or push the patch proactively. No workarounds exist; patching is the only remediation.
Patch guidance
Google has released Chrome 149.0.7827.53 to resolve this issue. Users should enable automatic updates to receive the patch immediately; administrators can verify deployment by checking Chrome's About page (chrome://about). On Windows, Mac, and Linux, the update process is identical. For managed deployments, verify the rollout using your endpoint management solution to confirm all instances have reached the patched version. No additional configuration changes are required post-patch.
Detection guidance
Monitor for Chrome instances below version 149.0.7827.53 in your asset inventory. Endpoint Detection and Response (EDR) and Mobile Device Management (MDM) tools can query installed Chrome versions and flag out-of-date instances. Network-level detection is limited since the attack uses a crafted HTML page (legitimate-looking traffic), but behavioral monitoring for unexpected navigation or access to restricted URLs may provide early warning. Log Chrome version updates to track patch compliance over time. No specific ICS/IOCS are available for this vulnerability's exploitation payload.
Why prioritize this
While the CVSS score of 6.3 is moderate and the vulnerability is not actively exploited at scale, the low barrier to exploitation and the broad user base affected by Chrome make this a priority for rapid patching. Navigation restriction bypass could enable credential harvesting, malware delivery, or access to restricted resources. Organizations with strict content filtering or access control policies should prioritize this above lower-severity issues. The patch is mature and carries no known compatibility risks, making deployment low-risk and high-benefit.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects the moderate nature of the vulnerability: network attack vector, low complexity, no authentication requirement, and user interaction required. The impact on confidentiality, integrity, and availability is limited (partial, not complete), and the scope is unchanged. This score appropriately captures the risk of navigation bypass without overstating it as critical. Real-world risk varies by organizational context—entities with strong navigation policies and high-value user populations face greater risk.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. CVE-2026-11187 allows an attacker to bypass navigation restrictions via a crafted HTML page, not to execute arbitrary code. However, once navigation is bypassed, an attacker could redirect a user to a malicious site capable of delivering malware or phishing content, creating a secondary risk.
Is this vulnerability being actively exploited?
No. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update. However, the low barrier to exploitation means organizations should not delay patching while awaiting confirmed exploitation reports.
Do I need to take any action beyond updating Chrome?
Updating to Chrome 149.0.7827.53 or later is the primary mitigation. No configuration changes or additional hardening measures are required. Verify the update is deployed across your environment using your MDM or asset management tools.
Why is user interaction required if this is a network attack?
The vulnerability is triggered when a user visits or clicks a link to a crafted HTML page. An attacker cannot exploit it remotely without user engagement, but social engineering, phishing links, or drive-by-download tactics make this a practical constraint rather than a strong defense.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. SEC.co does not represent this as a comprehensive security audit or guarantee of risk assessment accuracy for your specific environment. Verify all patch version numbers, supported platforms, and compatibility details against official Google Chrome security advisories and your organization's change management procedures before deployment. Use of this information is at your own risk and does not replace professional security consultation tailored to your infrastructure and threat profile. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11197MEDIUMChrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53
- CVE-2026-11210MEDIUMChrome Safe Browsing Bypass via Crafted RAR Files