CVE-2026-11200: Chrome WebRTC Cross-Origin Data Leakage Vulnerability
A flaw in Google Chrome's WebRTC implementation allows attackers to steal private data from other websites through a malicious HTML page. An attacker would need to trick a user into visiting their crafted webpage while Chrome is running, but no special technical privileges are required. The vulnerability affects Chrome versions before 149.0.7827.53 across Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346, CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11200 is a cross-origin data leakage vulnerability in Chrome's WebRTC subsystem stemming from improper implementation of the WebRTC specification. The flaw maps to CWE-346 (Origin Validation Error) and CWE-352 (Cross-Site Request Forgery), indicating that the browser fails to properly validate the origin of WebRTC communications or enforce adequate isolation boundaries. An attacker can craft a malicious HTML page that, when visited by a victim, exploits WebRTC's peer-connection establishment process to exfiltrate session data, authentication tokens, or other sensitive cross-origin content. The attack requires user interaction (visiting the malicious page) but does not require the victim to have any special system privileges or advanced browser configuration.
Business impact
Successful exploitation could result in the theft of user session credentials, authentication cookies, or sensitive cross-origin data accessed through compromised websites. For organizations where employees use Chrome to access internal or sensitive cloud applications, this vulnerability creates a risk of credential theft and unauthorized data access. An attacker could potentially impersonate a victim or access private information that was intended to remain within a single origin, leading to potential compliance violations, account takeover, or data exfiltration incidents.
Affected systems
This vulnerability affects Google Chrome prior to version 149.0.7827.53. Because Chrome runs on Windows, macOS, and Linux, all users on those platforms running unpatched Chrome versions are at risk. The vulnerability is not specific to any particular Chrome extension, plugin, or configuration—it is present in the core WebRTC implementation and affects all users equally.
Exploitability
Exploitability is straightforward: an attacker must craft a malicious HTML page and distribute it through social engineering, phishing, or ad networks to lure users into visiting it. Once a user clicks on the link or is redirected to the page, the JavaScript payload automatically triggers the WebRTC data leakage without additional user interaction beyond the initial visit. No authentication bypass or system compromise is needed. The CVSS score of 6.5 reflects the high confidentiality impact (C:H) tempered by the requirement for user interaction and the fact that it does not enable code execution or system availability attacks.
Remediation
Organizations should prioritize patching Google Chrome to version 149.0.7827.53 or later across all endpoints. For users who cannot immediately update, temporary mitigations include disabling WebRTC in Chrome (via chrome://flags search for 'WebRTC' settings) or using browser extensions that block or restrict WebRTC, though these are not long-term solutions. Verify the patch version against Google's official Chrome release notes to ensure correct deployment.
Patch guidance
Update Google Chrome to version 149.0.7827.53 or later. Google rolls out updates automatically on most platforms, but users should manually check Help > About Google Chrome (or the equivalent on their OS) to force an immediate update check if their systems have not yet received the patch. Enterprise administrators managing Chrome through Group Policy (Windows) or configuration profiles (macOS) should deploy version 149.0.7827.53 or later to their Chrome managed devices. Verify patch deployment by checking chrome://version in the browser to confirm the installed version matches or exceeds the patched version.
Detection guidance
Monitor for WebRTC-related exploitation attempts by checking network logs for unusual peer-to-peer connections originating from the Chrome process, particularly those directed to external or unexpected IP addresses. Endpoint detection and response (EDR) tools should alert on Chrome process spawning suspicious JavaScript execution or attempting to exfiltrate sensitive data. Web proxy logs may reveal visits to known malicious HTML pages designed to exploit this vulnerability. Additionally, monitor Chrome update compliance through your patch management or mobile device management (MDM) system to ensure all instances are running version 149.0.7827.53 or later.
Why prioritize this
Although the CVSS score is 6.5 (Medium), the attack vector is network-based, requires minimal user interaction, and has high confidentiality impact. The vulnerability directly threatens user session security and cross-origin data protection—fundamental trust boundaries in web security. Because Chrome is ubiquitous in enterprise and consumer environments, and the patch is readily available and straightforward to deploy, rapid patching should be a priority to close a window of exposure that could be actively exploited via phishing campaigns targeting your users.
Risk score, explained
The CVSS 3.1 score of 6.5 is driven by a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and required user interaction (UI:R). The high confidentiality impact (C:H) reflects the ability to leak sensitive cross-origin data, while integrity (I:N) and availability (A:N) remain unaffected because the flaw does not allow the attacker to modify data or crash the browser. The score appropriately reflects a serious but remediable data confidentiality risk that does not allow code execution or system compromise.
Frequently asked questions
Can I be attacked if I just browse normally without clicking suspicious links?
The attack requires you to visit a malicious webpage, typically through a link in a phishing email, a malicious advertisement, or a compromised site. Simply having Chrome open and browsing legitimate websites does not trigger the vulnerability. However, attackers may embed the exploit in legitimate-looking pages, so it's important to keep Chrome patched and avoid clicking unexpected links.
Does this vulnerability allow attackers to execute malicious code on my computer?
No. This vulnerability is limited to leaking data across origins through WebRTC—it does not provide code execution, system command access, or privilege escalation. The attacker can steal session tokens or other sensitive information, but cannot directly run programs or take control of your machine.
If I use a different browser like Firefox or Safari, am I safe from this?
Yes. This vulnerability is specific to Google Chrome's WebRTC implementation. Firefox, Safari, Edge, and other browsers either have different WebRTC implementations or are patched separately. However, check that your browser of choice has also been updated to the latest version to protect against similar vulnerabilities in those browsers.
What should enterprise IT administrators do right now?
Verify your Chrome version distribution through your MDM or patch management system. Create a deployment package or policy to push Chrome 149.0.7827.53 or later to all managed devices. Set a deadline for compliance (for example, 7–14 days depending on your risk tolerance) and monitor for stragglers. Communicate the update to end users and remind them that Chrome should update automatically, but they may need to restart their browser to apply the patch.
This analysis is provided for informational purposes only and reflects the vulnerability details as of the publication and modification dates shown. Security teams should verify all patch version numbers and availability dates against official vendor advisories from Google, Microsoft, Apple, and the Linux kernel maintainers before deploying patches. Exploitation vectors and risk assessments are based on published CVE details and general security principles; actual risk in your environment may vary. For the most current information and official remediation guidance, consult Google Chrome's official security advisory and your organization's vulnerability management processes. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11194MEDIUMChrome Cross-Origin Data Leak Vulnerability – Patch Guidance
- CVE-2026-11195MEDIUMChrome MHTML Cross-Origin Data Leak – Patch Now
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)