MEDIUM 6.5

CVE-2026-11204: Google Chrome iOS Navigation Bypass – Patch & Detection Guide

A flaw in Google Chrome's sign-in implementation on iOS allows an attacker to bypass navigation restrictions by directing a user to a specially crafted webpage. The vulnerability requires user interaction—specifically visiting a malicious page—but does not require elevated permissions. While the attacker cannot read sensitive data or crash the application, they can manipulate the browser's navigation behavior in ways the user did not intend.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-284
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11204 is a medium-severity implementation defect in Chrome's Signin feature on iOS (versions prior to 149.0.7827.53). The flaw is categorized as an improper access control issue (CWE-284) affecting the browser's navigation restriction enforcement. An unauthenticated network attacker can craft a malicious HTML page that, when visited by a user, bypasses intended navigation controls. The vulnerability does not permit information disclosure or denial of service, but does enable unauthorized navigation state modification. This reflects a gap in the security boundary between the Signin component and the browser's core navigation logic.

Business impact

For organizations, this vulnerability represents a vector for user misdirection and potential social engineering augmentation. If an attacker can silently bypass navigation restrictions, they may redirect authenticated users to phishing pages or credential-harvesting sites without triggering expected security prompts or restrictions. iOS users are particularly relevant if your organization relies on iOS devices for corporate access or mobile app authentication. The medium CVSS score and user-interaction requirement mean this is not an immediate, mass-exploitation risk, but it weakens the trust model of the browser's safety features.

Affected systems

Google Chrome on iOS versions prior to 149.0.7827.53. The vulnerability is specific to the iOS platform and does not affect Chrome on Android, macOS, Windows, Linux, or Chrome OS. Any user of an unpatched Chrome installation on iPhone or iPad is potentially at risk if they visit a malicious webpage.

Exploitability

Exploitation is practical but not trivial. The attacker must craft a specific HTML page and convince or socially engineer a user into visiting it. There is no network-only attack vector; user interaction is mandatory. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) reflects that network access is easy to obtain, attack complexity is low, but user click-through is required. The impact is high integrity (navigation bypass) but no confidentiality or availability loss. This is not in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting real-world exploitation has not been widespread or publicly reported as of the publication date.

Remediation

Update Google Chrome on iOS to version 149.0.7827.53 or later. iOS users should enable automatic app updates in the App Store settings to receive patches without manual intervention. Organizations managing iOS devices via MDM should push the Chrome update through device management policies. Verify the update installation by checking Settings > About Chrome to confirm the version number.

Patch guidance

Patch version 149.0.7827.53 is the minimum version that resolves this issue. Users running any version below 149.0.7827.53 on iOS should prioritize installation. There is no workaround; patching is the only remediation path. For managed deployments, confirm that your MDM solution can enforce Chrome version pinning or automatic updates. Test the patch in a non-production environment if your organization has custom Chrome configurations or enterprise policies.

Detection guidance

Detection of exploitation in the wild is challenging because the vulnerability is behavioral rather than crash-inducing. Monitor for unusual navigation patterns in browser logs or network traffic from iOS devices, particularly unexpected redirects to known phishing or credential-harvesting domains. Endpoint Detection and Response (EDR) solutions with iOS support may flag suspicious redirect chains. User reports of unexpected browser navigation changes are a key signal. Patch adoption can be tracked via MDM or app store telemetry to ensure coverage.

Why prioritize this

This vulnerability merits moderate priority. While it requires user interaction and does not permit data theft or system compromise, it undermines the integrity of the browser's navigation controls—a foundational trust mechanism. Organizations with high concentrations of iOS users, particularly those using Chrome for sensitive workflows or authentication, should prioritize patching within 30–60 days. It is not a critical, drop-everything patch, but it should not be neglected.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects the balance between ease of attack (network-accessible, low complexity, but requires user interaction) and limited impact scope (integrity only, no confidentiality or availability loss). The attack does not require privileges, and the user is the only affected scope. The score appropriately signals a real but contained risk: not urgent like a 9.0+ remote code execution, but more serious than a low-impact local vulnerability.

Frequently asked questions

Can an attacker exploit this vulnerability without the user knowing?

The vulnerability requires a user to visit a malicious webpage. The user interaction is not transparent—they must navigate to the attacker's page. However, if tricked via phishing email or social engineering, a user may not realize the page is malicious until after they have visited it.

Does this affect Chrome on other platforms like Android or macOS?

No. This vulnerability is specific to Chrome on iOS. Android, macOS, Windows, Linux, and Chrome OS versions are not affected. If your organization manages both iOS and Android devices, only iOS Chrome requires urgent patching.

What is the difference between this vulnerability and a 'critical' one?

This is rated MEDIUM (6.5 CVSS) because it does not allow data theft, remote code execution, or system crashes. A critical vulnerability typically enables full system compromise or widespread data disclosure. This one narrows the attack surface to navigation manipulation, which is serious but more contained.

If we enforce a strict allow-list of approved domains, are we protected?

Possibly, but not entirely. If your organization can enforce a firewall or MDM policy that prevents access to unknown domains, that could mitigate exposure. However, the safest approach remains updating Chrome to 149.0.7827.53 or later.

This analysis is based on public vulnerability data as of June 2026. Patch version numbers, affected product versions, and vulnerability details are sourced from official Google Chrome and security advisories. Organizations should verify patch availability and compatibility in their own environments before deployment. This explainer does not constitute security advice; consult your security team and vendor advisories for organization-specific guidance. No exploit code or weaponizable proof-of-concept is provided. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).