MEDIUM 6.5

CVE-2026-11195: Chrome MHTML Cross-Origin Data Leak – Patch Now

Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles MHTML (MIME Encapsulation of Aggregate HTML Documents) content. An attacker can craft a malicious web page that, when visited by a user who performs specific interactions with the page (such as clicking or other UI gestures), leaks sensitive data from websites the user has visited in other browser tabs or windows. The vulnerability requires user interaction to trigger and does not allow attackers to modify data or crash the browser, but it does enable unauthorized access to cross-origin information that should remain private.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-346, CWE-352
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11195 is a cross-origin data disclosure vulnerability in Chrome's MHTML implementation. The issue stems from inappropriate handling of MHTML content processing, allowing a network-based attacker to craft HTML pages that trigger unintended information exposure when users engage in specific UI interactions. The vulnerability falls under Origin Policy Violation (CWE-346) and Cross-Site Request Forgery (CWE-352) categories, indicating failures in same-origin policy enforcement and state-changing request validation. The attack requires user interaction and the user must be tricked into visiting a malicious page, but does not require authentication, making it a relatively low-friction exploitation scenario once a user is socially engineered to the attacker's site.

Business impact

This vulnerability creates a data exfiltration risk for any organization whose employees use Chrome to access sensitive cloud applications, internal web portals, or SaaS platforms. An attacker could harvest session tokens, API keys, or sensitive information displayed on pages that users visit while also opening the attacker's malicious page. For enterprises managing confidential workflows (financial systems, healthcare portals, legal databases), the undetected leakage of cross-origin data could result in compliance violations, IP theft, or breach notification obligations. The requirement for user interaction means targeted phishing campaigns or compromised advertising networks are the most likely attack vectors.

Affected systems

All Google Chrome installations on Windows, macOS, and Linux running versions prior to 149.0.7827.53 are vulnerable. Users on supported versions of Chrome that have not yet auto-updated to the fixed release are at risk. Organizations managing Chromebook fleets, enterprise Chrome deployments, or environments where users run local Chrome browsers should prioritize inventory of installed versions. Third-party Chromium-based browsers may also be affected if they do not promptly backport the fix.

Exploitability

Exploitation requires a moderate level of attacker capability: an attacker must craft a convincing phishing email or compromised ad campaign to direct users to a malicious page, then the user must perform specific UI interactions on that page. There is no unauthenticated network exploit or one-click trigger; social engineering is the gating factor. Once user interaction occurs, data leakage is automatic and silent. The vulnerability has not been added to the Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of in-the-wild exploitation at the time of this analysis, though that status can change. Given its Medium CVSS score (6.5) and the availability of a patch, opportunistic attackers may test it once awareness spreads.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Users can check their version at chrome://version/ and force an update via Chrome Settings > About Chrome, which will trigger an automatic download and apply the patch on next restart. Enterprise administrators should deploy this update through their standard patch management processes immediately. No workarounds are available short of avoiding untrusted websites or disabling MHTML processing, neither of which is practical; patching is the only reliable remediation.

Patch guidance

Chrome 149.0.7827.53 and all subsequent releases contain the fix for this vulnerability. Users on Chrome 148 or earlier must upgrade. If your organization uses Chrome Enterprise license, verified that automatic updates are enabled or use your management console (Google Admin Console) to push the update to all devices. For Linux distributions that package Chrome, check with your distro's repository for availability of the patched version. Verify remediation by confirming the version string at chrome://version/ shows 149.0.7827.53 or higher.

Detection guidance

Monitor Chrome version inventory across your endpoints using Mobile Device Management (MDM) solutions, intune, or asset management tools to identify systems running pre-149.0.7827.53 builds. At the network level, detection is difficult because MHTML parsing occurs client-side; however, monitoring for suspicious MHTML downloads or unusual cross-origin data flows (if your proxy/DLP supports it) may surface exploit attempts. Consider user awareness training on phishing campaigns that direct to unfamiliar websites requesting interaction. Web proxy logs showing visits to unfamiliar sites followed by rapid queries to sensitive internal systems may indicate exploitation, though attribution is weak. Focus detection efforts on inventory management rather than behavioral detection.

Why prioritize this

Although this vulnerability carries a Medium CVSS score and has not yet entered active exploitation, Chrome is ubiquitous in enterprise environments and the attack vector (social engineering + user interaction) is practical for targeted campaigns. Organizations handling sensitive data (healthcare, finance, legal, technology sectors) should prioritize this patch within their standard 30-day patch cycle. For general enterprises, this is a high-priority patch due to Chrome's popularity and the confidentiality impact, but slightly lower urgency than critical or exploited vulnerabilities. The automatic update mechanism in Chrome reduces friction, so most users will be patched passively if updates are not deliberately delayed.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects a network-based attack with low complexity that requires user interaction and results in high confidentiality impact but no integrity or availability impact. The score appropriately captures the balance between ease of exploitation (social engineering) and the severity of the outcome (silent data leakage). This score does not factor in prevalence of Chrome or business context, which may elevate risk for data-sensitive organizations. The absence of KEV status suggests limited or no active exploitation, which may lower immediate operational risk but does not reduce the need to patch.

Frequently asked questions

Can I be exploited if I just visit a malicious page without clicking anything?

No. The vulnerability requires specific UI gestures (such as clicks or keyboard interactions) to trigger the data leak. Merely loading the page is not sufficient, but the attacker controls what gesture is required and can craft the page to make the gesture seem innocuous (e.g., clicking a 'Close' button or scrolling). Staying vigilant about unexpected prompts or requests is important.

Does this vulnerability affect other browsers like Firefox or Edge?

This CVE is specific to Chrome's MHTML implementation. Firefox and other browsers may have different MHTML handling or may not support MHTML at all. However, similar cross-origin data disclosure flaws have been discovered in other browsers in the past, so no browser is immune to this class of vulnerability. Keep all browsers updated to current versions.

If I use Chrome in a sandbox or container, am I protected?

Partially. A sandbox can limit what an attacker can do after obtaining data (e.g., prevent lateral movement), but it does not prevent the data leak itself from happening within the browser context. The vulnerability still exposes data from other tabs or origins within the same Chrome profile. Isolation at the profile or browser-instance level provides stronger defense.

Why hasn't this been added to the KEV catalog yet?

The KEV catalog includes vulnerabilities that have been actively exploited in the wild and identified by U.S. government agencies or their authorized partners. At the time of publication, no such evidence existed. KEV status can change as threat intelligence evolves. Do not use KEV status alone to prioritize patching; apply this update based on your organization's risk tolerance and data sensitivity.

This analysis is based on CVE-2026-11195 source data as of the publication date. Exploit code and detailed technical mechanics are not provided herein. Readers should consult official Google Chrome release notes and security advisories for authoritative guidance. Organizations should validate patch applicability and test in non-production environments before wide deployment. Risk scores and prioritization recommendations are general guidance; your organization's risk tolerance, data sensitivity, and threat model should inform your patching decisions. This document does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).