MEDIUM 6.5

CVE-2026-11193: Chrome Password Manager Access Control Bypass – CVSS 6.5

Google Chrome's Password Manager contained a flaw that failed to properly enforce access controls, allowing an attacker to bypass security restrictions through a malicious webpage. An attacker could craft a specially designed HTML page that, when visited by a user, circumvents the protections meant to prevent unauthorized access to password management features. This requires user interaction—the victim must visit the attacker's page—but no special privileges are needed on the attacker's side. The vulnerability does not lead to data theft or system crashes, but rather prevents the password manager from properly enforcing who can access its functions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-284
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11193 is an insufficient policy enforcement vulnerability in the Password Manager component of Google Chrome prior to version 149.0.7827.53. The flaw stems from inadequate access control validation (CWE-284) that permits a network-based attacker to bypass discretionary access control mechanisms via a crafted HTML page. The vulnerability requires user interaction (UI:R) and operates within the security context of the user's session (S:U), but carries no scope expansion. The Chromium project assigned this a Medium severity rating. While the CVSS 3.1 score of 6.5 indicates moderate risk with availability impact (A:H), the lack of confidentiality or integrity impact limits exposure to denial-of-service or feature unavailability rather than credential compromise.

Business impact

This vulnerability could allow attackers to manipulate or disable password manager functionality for targeted users, potentially leading to account lockouts, forced password resets, or denial of access to stored credentials at critical moments. For organizations with users relying on Chrome's password management features for credential storage and retrieval, exploitation could disrupt workflows and create friction in user experience. The attack surface is broad—any user visiting a malicious site is at risk—but the impact is primarily operational rather than data-loss focused. Industries with high-volume user bases and critical authentication dependencies should assess their exposure.

Affected systems

The vulnerability affects Google Chrome on multiple platforms: Windows, macOS, and Linux systems running Chrome versions prior to 149.0.7827.53. The underlying Chromium engine also impacts Chrome-based browsers on these operating systems. Users on older Chrome versions that have not received the security patch are affected, though the exact scope of vulnerability depends on platform-specific patch availability and deployment timelines.

Exploitability

Exploitation requires a user to visit a crafted webpage, making this a relatively straightforward attack vector that does not demand sophisticated technical skills or system-level access. No authentication is required from the attacker's perspective, and the attack succeeds over the network. However, user interaction is essential—passive consumption of the web alone will not trigger exposure. The crafting of the malicious HTML page itself is likely within reach of competent threat actors, though specific proof-of-concept details remain limited in public discourse. The barrier to exploitation is low to moderate.

Remediation

Users should update Google Chrome to version 149.0.7827.53 or later as soon as practicable. Verify against the official Google Chrome release notes and vendor security advisories to confirm patch availability for your specific platform (Windows, macOS, or Linux). Organizations should prioritize deployment of this update, particularly for users with admin-level or privileged account access who might be targeted. Auto-update features in Chrome can facilitate rapid patching across user bases.

Patch guidance

Apply Chrome version 149.0.7827.53 or later. Verify patch availability through Google's official Chrome release channels and security advisories before deployment. Organizations using centralized Chrome deployment mechanisms should validate patch rollout against this version number. Test patching in non-production environments if possible to ensure compatibility with organizational tools and extensions. Monitor Chrome version compliance through endpoint management solutions or browser telemetry to confirm successful patch deployment across your fleet.

Detection guidance

Monitor for exploitation attempts by tracking access patterns to Chrome's Password Manager via web-based attack vectors. Look for suspicious HTML content served to users or anomalous interactions with the password manager component. Endpoint detection and response (EDR) tools should flag unusual process behavior related to chrome.exe or chromium processes that interact with password storage locations. User reports of unexpected password manager failures or access denials should be investigated for potential exploitation. Web traffic analysis may reveal attempts to deliver malicious HTML payloads targeting this vulnerability.

Why prioritize this

While the CVSS score of 6.5 (Medium) reflects the vulnerability's moderate severity, prioritization should account for the broad attack surface (any user visiting a compromised or attacker-controlled website), the ease of exploitation, and the potential for widespread impact in organizations with large Chrome user bases. The fact that this targets password management functionality—a critical security component—warrants elevated attention despite the lack of KEV designation. Organizations should treat this as a near-term patching priority, particularly in environments where Chrome is the primary browser and password management is integrated into business workflows.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects the combination of network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), required user interaction (UI:R), and unchanged scope (S:U). The high availability impact (A:H) drives the elevated score, while the absence of confidentiality or integrity impact prevents it from reaching higher severity levels. The score appropriately captures a flaw that can disrupt service availability through access control bypass without exposing sensitive data or system integrity.

Frequently asked questions

Do I need to do anything if I'm using Chrome's built-in password manager?

Yes. Update Chrome to version 149.0.7827.53 or later. While the vulnerability requires you to visit a malicious website, the risk is real for any user relying on Chrome's password manager. Check your Chrome version in Settings > About Chrome, which will auto-update if enabled. After updating, no further action is needed unless you notice password manager issues.

Can this vulnerability steal my saved passwords?

No. This vulnerability does not allow attackers to extract or view saved passwords. The flaw permits bypassing access controls to the password manager interface itself, potentially preventing normal access or functionality. Your password data remains encrypted; this vulnerability affects the gate that controls who can interact with the manager, not the vault itself.

Is this vulnerability being actively exploited in the wild?

The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation has been confirmed at the time of publication. However, the relative ease of exploitation and broad attack surface mean defenders should not assume risk will remain low indefinitely. Prioritize patching accordingly.

Do I need to change my passwords if I've been using Chrome before the patch?

Unless you have specific evidence of unauthorized password manager access or account compromise, password changes are not immediately necessary. However, monitor your accounts for suspicious activity. If you suspect the flaw was exploited against you, consider changing passwords for high-sensitivity accounts as a precaution and enable multi-factor authentication where available.

This analysis is based on information available as of the publication date and the vendor security advisory. CVSS scores and severity ratings reflect the vendor's assessment and may evolve as additional information emerges. Organizations should verify patch availability and compatibility against official Google Chrome security advisories and release notes before deployment. This information is provided for defensive purposes; no exploit code or weaponized proof-of-concept is included. Always consult with your security team and vendor documentation for definitive patching and remediation guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).