CVE-2026-11189: Chrome DevTools Navigation Bypass via Malicious Extension
A flaw in Google Chrome's developer tools allowed attackers to bypass navigation restrictions through malicious browser extensions. If a user installed a crafted extension, an attacker could manipulate Chrome's navigation controls to reach restricted pages or resources. The vulnerability requires user action—specifically, convincing someone to install the malicious extension—but once installed, no additional user interaction is needed for the bypass itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11189 is an input validation weakness in Chrome's DevTools functionality. The vulnerability stems from insufficient validation of untrusted data supplied through a specially crafted Chrome extension. This allows an extension with appropriate permissions to circumvent Chrome's navigation restrictions, a security boundary intended to prevent certain navigational operations. The flaw affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux. Chromium security classified this as Medium severity.
Business impact
Organizations relying on Chrome's navigation restrictions for security policy enforcement may find those controls bypassed if a user installs a malicious extension. This could expose users to phishing sites, credential theft, or other attacks that depend on reaching otherwise-blocked resources. The impact is mitigated by the requirement that users actively install an extension, but determined attackers might use social engineering or bundled installers to achieve installation at scale. For enterprises enforcing browsing policies, this highlights the importance of extension governance.
Affected systems
Google Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux are affected. The underlying Chromium code also impacts any Chromium-based browsers built from affected source versions. Chrome for Android, Chrome for iOS, and other Chrome products should be evaluated against their own version timelines—consult official Chrome release notes for variant-specific patch status.
Exploitability
Exploiting this vulnerability requires social engineering: the attacker must convince a user to install a malicious extension. The technical bar is low once an extension is installed—no special user interaction is needed to trigger the bypass. The attack is not remotely exploitable without user action. An organization with weak extension policies, inadequate user training, or a high-trust user base faces elevated risk.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default, but verify completion across your user base if you maintain manual deployment. For Chrome Enterprise, use Group Policy or mobile device management to ensure timely updates. Additionally, implement extension governance: disable installation of extensions outside your approved list, educate users on extension risks, and monitor installed extensions regularly for suspicious behavior or provenance.
Patch guidance
Upgrade to Chrome 149.0.7827.53 or any subsequent release. Chrome's built-in auto-update mechanism should deliver this patch automatically; users can manually trigger updates via Chrome menu > Help > About Google Chrome. In enterprise environments, confirm patch deployment via management console. No workarounds or configuration flags are needed. For Chromium-derived browsers, verify against the respective project's release schedule and advisory status.
Detection guidance
Monitor extension installations for suspicious or unexpected extensions, particularly those with broad DevTools, tab, or navigation permissions. Log and alert on installations from non-standard sources or by unusual users. Audit browser logs for anomalous navigation attempts that bypass expected restrictions. Security Information and Event Management (SIEM) or endpoint detection platforms can flag unauthorized extension deployments or navigation policy violations if baseline behavior is well-defined.
Why prioritize this
This vulnerability warrants prompt but not emergency patching. The CVSS score of 6.5 (Medium) reflects the requirement for user action to install an extension; widespread exploitation in the wild is unlikely without a high-profile malicious extension campaign. However, because navigation restrictions are a trust boundary, any bypass undermines security controls. Organizations with strict browsing policies or high-value targets should prioritize patching within normal update cycles. Monitor for public reports of weaponized extensions and escalate if any emerge.
Risk score, explained
The CVSS 3.1 score of 6.5 is derived from a network-accessible attack vector, low attack complexity, no privilege requirement, and required user interaction (installing the extension). The impact is integrity-focused—the attacker can bypass controls—with no direct confidentiality or availability loss. The Medium severity reflects that exploitation is contingent on user action but that the consequence is a meaningful security boundary violation.
Frequently asked questions
Do I need to have developer tools open for this to work?
No. The flaw resides in the DevTools validation logic itself; an attacker does not need a user to actively open or use DevTools. The malicious extension can invoke the vulnerable code path internally.
Can an attacker exploit this through a website or just via extensions?
Only through extensions. The vulnerability requires the extension installation step. Websites alone cannot trigger this flaw; they cannot inject a crafted extension.
Will updating Chrome prevent infection if a malicious extension is already installed?
Updating Chrome will close the vulnerability, preventing future exploitation via the navigation bypass. However, if a malicious extension is already installed, you should also remove it manually or via your endpoint security tools, as the extension itself may have other harmful capabilities unrelated to this CVE.
What should I do if I manage a Chromium fork or derivative browser?
Check your Chromium sync point and release schedule. If your last merge included the patch from Chromium, you are safe. If not, coordinate with your Chromium integration process to acquire the fix or backport it to your branch.
This analysis is based on publicly disclosed information as of the stated publication and modification dates. No active exploitation in the wild is confirmed at this time, and the vulnerability has not been added to the CISA KEV list. Security landscape and threat actor behavior may change; organizations should monitor official Google Chrome security advisories and threat intelligence sources for updates. This document does not constitute legal, compliance, or investment advice and is provided for informational purposes. Always test patches in a non-production environment before enterprise deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls