CVE-2026-11194: Chrome Cross-Origin Data Leak Vulnerability – Patch Guidance
A vulnerability in Google Chrome's network implementation could allow an attacker to trick users into visiting a specially crafted webpage that leaks sensitive data from other websites the user is logged into. The attack requires user interaction (clicking or visiting the malicious page) but does not require special browser configuration or user privileges. While the confidentiality impact is high, the vulnerability does not allow attackers to modify data or disable services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346, CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11194 stems from an inappropriate implementation in Chrome's network layer that fails to properly enforce cross-origin isolation. The vulnerability is rooted in improper origin validation (CWE-346) and insufficient CSRF protections (CWE-352), enabling same-site request forgery patterns that leak cross-origin data. An attacker crafts a malicious HTML page that, when visited by a user, exploits the network implementation to exfiltrate confidential information from other origins. The issue affects Chrome versions prior to 149.0.7827.53 across multiple operating systems.
Business impact
This vulnerability poses a direct confidentiality risk to users of affected Chrome versions. Organizations where employees browse untrusted content or visit adversary-controlled sites face exposure of sensitive cross-origin data—including authentication tokens, session information, or private user data from banking, email, or SaaS platforms. The requirement for user interaction limits the attack surface compared to drive-by exploitation, but social engineering or malvertising could lower the practical barrier. No documented active exploitation in the wild has been reported, but the straightforward attack vector (visiting a webpage) makes this a realistic threat once details emerge.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Chrome's availability on other operating systems, including macOS, Linux, and Windows systems running vulnerable Chrome builds. Users should verify their current Chrome version via Settings > About Chrome to confirm their patch status. Other Chromium-based browsers may be affected depending on their synchronization with upstream Chrome security updates.
Exploitability
The attack requires network accessibility and user interaction, making it moderately exploitable. An attacker must craft a malicious HTML page and persuade or trick a user into visiting it—via phishing, malvertising, or social engineering. Once the page loads in a vulnerable Chrome instance, the exploit triggers automatically without requiring further user action. The low attack complexity and lack of required privileges keep the barrier reasonably low for determined threat actors, though widespread exploitation depends on public PoC or watering-hole attacks targeting specific user communities.
Remediation
Organizations should immediately update Chrome to version 149.0.7827.53 or later. Google provides automatic updates, but IT teams should verify deployment status via browser policy reporting tools (e.g., Chrome Browser Cloud Management). End-users can manually check Settings > About Chrome, which will automatically download and prompt installation of newer builds. For organizations with restricted update policies, expedited exception requests are recommended given the cross-origin data exfiltration potential. No workarounds mitigate the vulnerability without patching.
Patch guidance
Verify your Chrome version against 149.0.7827.53 as the minimum secure build. Google releases patches as part of normal Chrome release cycles; ensure automatic updates are enabled. For managed environments, confirm that Group Policy (Windows) or mobile device management (MDM) policies push the patched version. macOS users should enable Automatic Updates in System Preferences > Software Update. Linux distributions should update chromium-browser packages through their package managers. Test patched versions in a non-critical environment first if your organization has custom extensions that may conflict with newer Chrome versions.
Detection guidance
Monitor Chrome version distribution across your environment using endpoint detection and response (EDR) tools or browser inventory management. Look for instances running versions prior to 149.0.7827.53. Network-layer detection is limited since the exploit runs entirely within the browser context, but user reports of unexpected cross-origin data exposure or account compromise following browsing activity warrant investigation. Browser extensions that enforce stricter origin policies may provide additional defense; review and test extensions claiming CORS or cross-origin hardening.
Why prioritize this
Despite a CVSS score of 6.5 (Medium), the real-world priority should reflect the high confidentiality impact combined with the straightforward attack vector (visiting a webpage). Organizations with users frequently exposed to untrusted web content or engaged in sensitive activities (finance, healthcare, government) should prioritize patching within 48–72 hours. The lack of documented KEV exploitation and the requirement for user interaction justify a slightly lower priority than critical patches, but the cross-origin data leak potential and ease of social engineering warrant rapid remediation rather than deferral to a standard patch cycle.
Risk score, explained
The CVSS 6.5 reflects network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and user interaction required (UI:R). Confidentiality is high (C:H) because attackers can exfiltrate data; integrity and availability are unaffected (I:N, A:N). The score appropriately captures the confidentiality-focused nature of cross-origin data leaks, but organizations handling high-value user data should internally elevate priority above the base score due to downstream business and compliance exposure.
Frequently asked questions
Does this vulnerability allow arbitrary code execution on my computer?
No. This vulnerability is limited to cross-origin data leakage within the browser. An attacker cannot execute arbitrary code, install malware, or access your filesystem. The risk is confined to exfiltration of sensitive web data (cookies, tokens, cached credentials) from websites you are logged into.
Will the malicious webpage affect me if I have automatic updates enabled?
If your Chrome is fully patched to 149.0.7827.53 or later, the vulnerability is closed and visiting the webpage poses no risk. Automatic updates are enabled by default; check Settings > About Chrome to confirm you are on the latest version. If updates are pending, restart Chrome to finalize installation.
Can I be exploited if I use a Chromium-based browser like Edge or Brave?
Possibly, if the underlying Chromium version is older than the patched release. Check your browser version settings and ensure you are on a recent build. Edge typically updates automatically via Windows Update; Brave and others have independent release cycles. Consult your browser vendor's security advisories for patch status.
What should I do if I suspect I was affected by this vulnerability before patching?
If you visited an untrusted or suspicious website and suspect data exposure, change passwords for sensitive accounts (email, banking, SaaS platforms) as a precaution. Monitor your accounts for unauthorized activity. If you are in a regulated industry, consider notifying your security team for forensic review. Patching Chrome immediately prevents future exploitation.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. CVSS scores and severity classifications are based on NIST and vendor assessments; organizations should conduct their own risk assessment in the context of their environment and threat model. Patch version numbers and vendor advisory details should be verified against official Google Chrome release notes and security bulletins before implementation. SEC.co does not provide exploit code or weaponized proof-of-concept information. Rapid patching is recommended but should be tested in non-production environments to ensure compatibility with existing systems and extensions. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11195MEDIUMChrome MHTML Cross-Origin Data Leak – Patch Now
- CVE-2026-11200MEDIUMChrome WebRTC Cross-Origin Data Leakage Vulnerability
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)