CVE-2026-11197: Chrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how Worker threads enforce same-origin policy. An attacker who has already compromised your browser's rendering engine can craft a malicious webpage to trick the Worker into allowing cross-origin requests it should block. This is a post-compromise scenario—the attacker must first gain control of the renderer process—but once inside, they can escalate their privileges by accessing data from other websites.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11197 is a same-origin policy bypass in Chrome Workers caused by insufficient policy enforcement. The vulnerability exists in the Worker implementation prior to version 149.0.7827.53. An attacker with renderer process control can supply a crafted HTML page that causes Workers to execute fetch or XMLHttpRequest operations against origins they should be restricted from accessing. The root cause maps to CWE-284 (Improper Access Control), indicating a logic flaw in the Worker's permission-checking mechanism rather than a memory corruption issue.
Business impact
The practical impact depends on your threat model. If your organization uses Chrome for accessing sensitive internal web applications or SaaS platforms, a compromised renderer—whether via malware, a separate browser exploit, or social engineering—could be leveraged to exfiltrate data from other sites the user is logged into. For most users, this requires a prior compromise; it is not a direct entry point. However, when chained with other renderer exploits, it increases the blast radius of a browser compromise.
Affected systems
Google Chrome prior to version 149.0.7827.53 is affected. The vulnerability also affects the operating systems on which Chrome runs: Windows, macOS, and Linux. The listing includes the Linux kernel as an affected product, likely indicating that the vulnerability may impact Chromium derivatives and web browsers built on Chromium (such as Brave, Edge, or Opera) depending on their version synchronization with upstream Chrome.
Exploitability
Exploitation requires two preconditions: (1) the attacker must first compromise the renderer process, and (2) the user must interact with a crafted webpage (UI interaction required). This two-stage requirement limits opportunistic attacks. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) reflects network accessibility and low attack complexity once the renderer is compromised, but the prerequisite compromise is not trivial. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no active weaponization has been observed or disclosed as of the publication date.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. This patch hardens policy enforcement in the Worker implementation to prevent the bypass. Users on Windows, macOS, and Linux should prioritize this update. For organizations using Chromium-based browsers (Edge, Brave, Opera, etc.), verify that your browser vendor has released a corresponding patch and apply it on the same timeline.
Patch guidance
Chrome updates can be applied through Settings > About Chrome, which will automatically check for and install the latest version. For enterprise environments using managed Chrome installations, push version 149.0.7827.53 or later through your MDM/patch management system. If you use Chromium forks, cross-reference the upstream Chrome release notes to determine the equivalent patched version for your browser and deploy accordingly. Verify patch installation by navigating to chrome://version and confirming the version number matches or exceeds 149.0.7827.53.
Detection guidance
Detection is challenging because the attack requires prior renderer compromise and execution of crafted JavaScript in a Worker context. Monitor for unusual Worker creation patterns, especially those attempting cross-origin fetch operations. Security analytics platforms that inspect Chrome DevTools Protocol (CDP) traffic or JavaScript execution logs may flag Worker scripts making requests to unexpected domains. At the host level, monitor for secondary indicators: unusual browser process behavior, unexpected outbound connections, or privilege escalation attempts following a browser crash or suspicious tab load. Web application firewalls (WAFs) can log anomalous same-origin requests, but this requires detailed request logging.
Why prioritize this
Prioritize this update for users and systems where Chrome is the primary browser for accessing sensitive web applications or where the user handles credentials for multiple services. The Medium CVSS score (6.5) and requirement for prior renderer compromise lower the urgency compared to critical remote code execution flaws, but the ease of attack post-compromise (AC:L) and the high integrity impact (I:H) warrant quick deployment. Organizations with high-value targets (finance, healthcare, government) or those in sectors with active browser-targeted campaigns should patch within 1–2 weeks. General enterprise deployments can target 3–4 weeks.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible flaw with low attack complexity that causes high integrity impact (data exfiltration via cross-origin bypass) but requires user interaction and a prior renderer compromise. The lack of confidentiality impact (C:N) is correct because the Worker does not gain new data-reading capabilities; it gains the ability to write or send data where it should not. The unchanged scope (S:U) indicates the impact is limited to the Chrome process and the websites it accesses. This score appropriately situates the vulnerability as serious but not critical—it is a privilege escalation within a compromised browser, not a remote code execution vector.
Frequently asked questions
Is this vulnerability actively being exploited?
As of the publication date, CVE-2026-11197 has not been added to the CISA KEV catalog, which suggests no widespread or publicly disclosed exploitation. However, absence from KEV does not guarantee the vulnerability is not known to threat actors. Organizations should apply patches proactively rather than waiting for evidence of active exploitation.
Can I be attacked by this vulnerability just by visiting a malicious website?
No. The attacker must first compromise your browser's renderer process through another vector (malware, a separate browser exploit, or social engineering). Once the renderer is compromised, visiting a crafted webpage can then trigger the same-origin bypass. In practice, this means the vulnerability is a secondary exploitation step, not a direct attack entry point.
Do I need to patch if I don't use Chrome?
If you use Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi, etc.), check your browser vendor's security advisories to see if they have backported the patch. Most major Chromium forks release patches within days or weeks of upstream Chrome. If you use Firefox, Safari, or other non-Chromium browsers, you are not affected by this specific vulnerability.
What is a 'Worker' and why should I care about same-origin policy bypasses in one?
Workers are JavaScript threads that run in the background without blocking the main browser thread. They are commonly used for data processing, background fetches, and service workers (which enable offline functionality). Same-origin policy is the browser's core security boundary—it prevents scripts from accessing data on different domains. A bypass here means an attacker could use a Worker to exfiltrate cookies, session tokens, or sensitive data from other sites you are logged into, as long as the renderer is already compromised.
This analysis is based on information available as of the publication date (2026-06-04) and the modified date (2026-06-17). Patch version numbers and remediation steps reference Google's official advisory and should be verified against the latest Chrome release notes and your vendor's security bulletins before deployment. The vulnerability assessment does not include proof-of-concept exploit code and is intended to inform risk prioritization, not to enable exploitation. Users should apply patches as part of a regular, tested update cadence and not solely in response to this analysis. Organizations with bespoke Chromium builds or forks should consult their internal security team and the upstream Chromium project for patching guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11210MEDIUMChrome Safe Browsing Bypass via Crafted RAR Files