CVE-2026-11206: Chrome Service Worker Data Leak Vulnerability – CVSS 6.5
A vulnerability in Google Chrome's Service Worker implementation allows attackers to access sensitive data from websites you visit, even data that should be restricted to specific origins. An attacker can craft a malicious web page that, when visited, exploits insufficient policy checks to leak cross-origin information. This requires user interaction—you must visit the attacker's page—but once there, the browser's protections are bypassed without additional warnings or user awareness.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11206 stems from insufficient policy enforcement within Chrome's Service Worker mechanism, which manages offline functionality and background tasks. Service Workers are scoped to specific origins for security isolation. This vulnerability allows a remote attacker to circumvent that isolation via a specially crafted HTML page, leading to unauthorized access to cross-origin data. The root cause is classified under CWE-693 (Protection Mechanism Failure), indicating a breakdown in the browser's origin-based security model. The vulnerability affects Chrome versions prior to 149.0.7827.53.
Business impact
Organizations face data exposure risk if employees browse the web using vulnerable Chrome instances, particularly when visiting compromised or adversary-controlled sites. Cross-origin data leakage could compromise authentication tokens, session identifiers, or private user information from legitimate web applications. The attack requires social engineering or infrastructure compromise to distribute a malicious page, but the barrier to exploitation is low. For enterprises relying on web applications for sensitive operations, this creates a compliance and breach risk until patching is complete.
Affected systems
Google Chrome browsers running version 149.0.7827.52 and earlier are directly vulnerable. Chrome runs on multiple operating systems—Windows, macOS, and Linux—so the attack surface spans desktop environments across all three platforms. While the vendor list includes Apple macOS, Microsoft Windows, and Linux kernel, the vulnerability is specific to the Chrome browser application; the OS itself is not compromised. Any system running an unpatched Chrome instance is at risk.
Exploitability
Exploitability is moderate-to-high in practical scenarios. The attack requires network accessibility (the attacker's crafted HTML must be reachable) and user interaction (the victim must visit the malicious page), but both barriers are relatively low in modern web usage. No user authentication or elevated privileges are needed. The victim's browser does the exploitation automatically once the page loads. The vulnerability is not known to be actively exploited in the wild (not on the CISA Known Exploited Vulnerabilities list), but the technical requirements for weaponization are straightforward.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Chrome's auto-update mechanism typically handles this with a browser restart, but verify completion by checking Settings > About Google Chrome. For managed enterprise environments, enforce the minimum version via group policy or mobile device management. No workarounds are available; patching is the only mitigation. Users should prioritize this update given the data exposure risk.
Patch guidance
Verify that Chrome is updated to 149.0.7827.53 or later. On Windows and macOS, navigate to Chrome menu > Help > About Google Chrome to trigger an immediate update check and display the current version. Linux users should update via their distribution's package manager (apt, yum, etc.) to pull the patched version. In enterprise environments, use your patch management tooling or Chrome Enterprise policies to enforce version 149.0.7827.53 as a minimum requirement. Restart Chrome after updates to ensure the new code is loaded. Test functionality on key web applications post-patch to confirm compatibility.
Detection guidance
Monitor Chrome version inventory across your organization using asset management or endpoint detection tools. Flag any instances running versions prior to 149.0.7827.53. Web application firewalls and network sensors may not reliably detect this attack in real time due to its reliance on browser-internal policy enforcement; focus on ensuring all Chrome instances are patched rather than post-breach detection. If you suspect exploitation, review browser history on affected systems for visits to suspicious or unexpected domains, and audit logs of accessed web services for anomalous cross-origin requests or data exfiltration patterns during the vulnerable period.
Why prioritize this
This should be prioritized for rapid patching in most environments. Although the CVSS score is 6.5 (Medium), the practical impact is significant: cross-origin data leakage can expose authentication credentials, session tokens, or private user data, leading to secondary account compromises or fraud. The attack is non-interactive from the browser's perspective (once the page is visited, the vulnerability is triggered automatically), and the exploit requirements are low. Combined with Chrome's ubiquity in enterprises, this poses a meaningful risk to data confidentiality. Prioritization should be high for organizations with sensitive web applications or strict data protection obligations.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects high confidentiality impact (C:H) with no integrity or availability impact, low attack complexity, no privilege requirements, and a requirement for user interaction. The 'Medium' severity tag reflects the scope being unchanged (S:U)—the attack does not escalate privileges or affect other users' data directly, only the victim's own cross-origin data. However, in real-world threat modeling, the practical risk often exceeds this score because credentials and session tokens can cascade into account takeover or lateral movement. Organizations handling highly sensitive data should treat this as a critical update despite the 'Medium' label.
Frequently asked questions
Can this attack steal my passwords or financial data directly?
The vulnerability leaks data scoped to cross-origin contexts—typically data that websites store or serve via Service Worker mechanisms. This includes authentication tokens, session IDs, and API responses. Direct access to encrypted passwords depends on how the website stores them; tokens and session identifiers are higher-value targets because they grant immediate unauthorized access. If you use web applications for banking or sensitive accounts, the leaked tokens could enable an attacker to impersonate you without knowing your password.
Do I need to change my passwords after a breach of this vulnerability?
Only if you believe an attacker accessed your session tokens or credentials during the vulnerable period. Check your browser history for unexpected visits (malware or phishing could have forced you to a malicious page), and monitor your accounts for suspicious activity. If you visited only trusted sites during the timeframe of vulnerability, the risk is lower. When in doubt, a password reset is prudent for high-value accounts, particularly those linked to payment or identity systems.
Why is this not on the CISA KEV list if it's so risky?
Inclusion on the Known Exploited Vulnerabilities catalog requires evidence of active exploitation in the wild by threat actors. This vulnerability was patched shortly after disclosure, and there is no public evidence of weaponized attacks yet. However, the technical barrier to exploitation is low, so new evidence could emerge. Assume it will be exploited opportunistically if systems remain unpatched.
Does updating Chrome break my extensions or saved data?
No. Chrome updates preserve your extensions, bookmarks, passwords, and browsing data. After updating to version 149.0.7827.53, restart your browser and verify that your extensions are enabled and functional. If a third-party extension is incompatible with the new version, you will see a warning in the Extensions menu; contact the extension developer or use an alternative if it is critical to your workflow.
This analysis is based on vendor disclosures and public CVE data current as of the modification date (2026-06-17). Patch version numbers and severity ratings are sourced directly from Google's Chromium security advisories. Organizations must verify compatibility and test patches in non-production environments before deployment. This explainer provides context and guidance only; it does not constitute professional security advice or guarantee of protection. Always consult your vendor's official advisories and your organization's change management process before deploying patches. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling
- CVE-2026-11264MEDIUMContent Security Policy Bypass in Chrome – Patch to 149.0.7827.53
- CVE-2026-11266MEDIUMChrome Safe Browsing Bypass Vulnerability — Patch v149.0.7827.53
- CVE-2026-11288MEDIUMCross-Origin Data Leak via CSS in Chrome – Patch Guidance
- CVE-2026-11292MEDIUMChrome CSP Bypass in Blink Rendering Engine – CVSS 4.3