MEDIUM 6.5

CVE-2026-11190: Google Chrome Extension Access Control Bypass (6.5 CVSS)

Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles browser extensions. An attacker could create a malicious extension that, if installed by a user, bypasses Chrome's access control protections. This means the extension could perform actions it should not be permitted to do—such as accessing restricted resources or modifying system behavior—without proper authorization checks. The attack requires user action to install the extension, but once installed, the damage is contained to what the extension itself can access rather than affecting the entire system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-284
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11190 stems from an inappropriate implementation of access control mechanisms in Chrome's extension framework (CWE-284: Improper Access Control). The vulnerability allows a crafted extension to circumvent discretionary access control (DAC) checks that normally restrict what an extension can do. The root cause lies in the extension validation or permission-enforcement logic prior to Chrome 149.0.7827.53. An attacker-controlled extension can exploit this gap to access protected resources or perform restricted operations that would normally be denied by Chrome's sandbox and permission model. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) indicates network accessibility with low attack complexity, user interaction required, and high integrity impact with no confidentiality or availability loss—consistent with an extension bypassing intended restrictions.

Business impact

If exploited, this vulnerability enables extensions to modify browser behavior, settings, or user data beyond their declared permissions. For enterprises, this could allow unauthorized extensions (whether distributed through social engineering or compromised supply chains) to alter security policies, intercept or modify web traffic, inject malicious content, or extract sensitive data from browsing sessions. The integrity impact is significant: users may not realize their browser environment has been compromised, leading to potential data exfiltration, credential theft, or deployment of secondary malware. The user-interaction requirement limits blast radius to individuals who install the extension, but once installed, the bypass is complete.

Affected systems

All platforms running Chrome prior to version 149.0.7827.53 are affected, including Windows, macOS, and Linux systems. The vulnerability is specific to the Chrome browser and does not directly affect the underlying operating systems (Windows, macOS, Linux) beyond the Chrome process itself. Users on these platforms who rely on Chrome for work should prioritize patching. The risk is user-centric rather than OS-centric: any user with Chrome installed and the ability to install extensions is a potential target.

Exploitability

Exploiting this vulnerability requires social engineering or distribution of a malicious extension through deceptive means. An attacker must convince a user to install a crafted extension from the Chrome Web Store, a third-party repository, or a direct link. The attack complexity is low once the extension is installed, but the prerequisite user interaction (installation consent) is a necessary friction point. There is no evidence of in-the-wild exploitation at publication, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the low technical barrier to weaponization and the high impact make this a plausible target for targeted campaigns against specific users or organizations.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates, but users and administrators should verify their version via Settings > About Google Chrome and force an update if necessary. For enterprise environments, use Chrome policies to enforce automatic updates and restrict extension installation to a managed allowlist via the ExtensionInstallWhitelist or ExtensionInstallForcelist policies. Audit installed extensions for suspicious or unnecessary additions, and educate users on the risks of installing extensions from untrusted sources. Consider restricting extension permissions via the ExtensionSettings policy.

Patch guidance

Verify your Chrome version by navigating to chrome://settings/help. If the version is lower than 149.0.7827.53, restart Chrome to apply any pending updates. For manual confirmation, check the version string in Settings > About Google Chrome; the browser will auto-check for updates and display the latest available version. Enterprise administrators should confirm patch deployment via Chrome management console or policy enforcement reports. No data loss is expected during the update. Rollback is not required; the update is forward-compatible.

Detection guidance

Monitor for suspicious extension installations using Chrome policy reports (if available in your environment) or endpoint detection tools that track browser extension registries. Look for extensions with broad or unusual permissions (e.g., access to all sites, ability to modify settings) from unknown publishers. If available, audit the Chrome user profile directories for unexpected extensions. Behavioral detection should flag attempts to modify security settings or permissions unexpectedly. On managed devices, track failed or unusual extension installation attempts. Note that the vulnerability itself leaves no obvious forensic artifacts beyond the presence of the malicious extension; detection relies primarily on identifying the extension itself and its behavior.

Why prioritize this

This vulnerability merits medium-to-high priority for patching due to its integrity impact, ease of distribution via social engineering, and applicability to all Chrome users. While user interaction is required, the bypass of access controls is complete once the extension is installed. Organizations with strict bring-your-own-device (BYOD) policies or those concerned about supply-chain attacks on extensions should prioritize this patch. The CVSS 6.5 and Chromium medium severity classification reflect the real-world risk, though the attack surface is limited to users who can be tricked into installing extensions. Patch promptly but not urgently; regular update cadence is sufficient for most organizations absent targeted threat intelligence.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) is driven by high integrity impact (I:H), indicating the ability to modify or alter Chrome functionality without authorization. Network accessibility (AV:N) and low attack complexity (AC:L) reflect that exploitation is straightforward once the extension is obtained. The user interaction requirement (UI:R) and the scope remaining unchanged (S:U) mean the impact does not escalate beyond the affected user's browser session. Chromium's own Medium severity rating aligns with this assessment. No confidentiality or availability loss is indicated, limiting the score. For businesses handling sensitive data, the integrity impact alone justifies rapid patching.

Frequently asked questions

Do I need to uninstall Chrome or lose my data to patch this?

No. Chrome patches are typically applied automatically and require only a restart of the browser. Your bookmarks, passwords, and settings are preserved. You can force the update by going to Settings > About Google Chrome, which will prompt an update check and apply the patch on next launch.

Can this vulnerability affect my operating system or other applications?

No. This vulnerability is specific to the Chrome browser and its extension framework. It does not affect Windows, macOS, or Linux directly, nor does it impact other browsers or applications. The compromise is limited to what a malicious extension can do within Chrome's sandbox.

What should I do if I have installed extensions from untrusted sources?

Review your installed extensions by going to chrome://extensions. Remove any unfamiliar, suspicious, or unnecessary extensions immediately. If you are unsure about an extension's legitimacy, remove it. For enterprises, audit installed extensions across your fleet and consider deploying an extension allowlist via Chrome policies to prevent future unauthorized installations.

Is this vulnerability being actively exploited?

No public evidence of active exploitation exists at the time of publication, and this vulnerability is not on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, patching should not be delayed indefinitely, as the low technical barrier to weaponization means exploitation is feasible. Stay informed via your security monitoring and patch within your organization's standard maintenance windows.

This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Patch versions, timelines, and detailed remediation steps should be verified against official Google Chrome Security Advisories and your organization's internal security policies. SEC.co does not provide warranties regarding the completeness or timeliness of this information. Organizations should consult their security teams and vendor advisories for definitive guidance. No exploit code or proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).