CVE-2026-11212: Chrome DevTools Cross-Origin Data Leak via Malicious Extension
A vulnerability in Google Chrome's developer tools (DevTools) fails to properly enforce security policies that should prevent extensions from accessing data across different websites. An attacker could trick a user into installing a malicious Chrome extension, which could then exploit this flaw to steal sensitive information from websites the user visits. The issue affects Chrome versions before 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11212 describes insufficient policy enforcement in Chrome's DevTools component, classified as a cross-origin data leak vulnerability (CWE-284: Improper Access Control). The flaw allows a malicious extension to bypass security boundaries and access data from origins other than its own. The vulnerability requires user interaction—specifically, convincing a user to install the malicious extension—but does not require elevated privileges. Once installed, the extension can leverage the DevTools policy gap to exfiltrate cross-origin data. The Chromium project rated this as Medium severity.
Business impact
This vulnerability primarily affects user confidentiality. Organizations with Chrome-dependent workflows face risk if employees install untrusted extensions, potentially exposing customer data, authentication tokens, or proprietary information viewed in the browser. The attack requires social engineering to distribute the malicious extension, making organizations with strong extension governance policies less vulnerable. However, users who bypass policy controls or operate in BYOD environments remain at risk.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also affects Chrome running on macOS, Linux, and Windows, so all major operating systems running vulnerable Chrome releases are in scope. Organizations should inventory Chrome deployments and verify patch status across all endpoints, regardless of OS.
Exploitability
Exploitation requires user interaction—specifically convincing a user to install a malicious extension. There is no network-based attack vector or exploit requiring zero-click execution. The attack surface is limited to users who either explicitly approve extension installation or operate in environments with weak extension controls. Social engineering, phishing, or masquerading as a legitimate tool would be typical attack vectors. CVSS 4.3 reflects this moderate barrier to exploitation combined with confidentiality impact.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Organizations should enforce Chrome auto-update policies to minimize the window of vulnerability. Additionally, implement extension governance policies that restrict installation to approved, vetted extensions from trusted developers. Security teams should review any existing extension deployments and remove or disable suspicious or unnecessary extensions.
Patch guidance
Chrome auto-updates can be configured at the enterprise level via group policy (Windows), configuration profiles (macOS), or Linux policy mechanisms. Verify deployment across managed endpoints to confirm all instances have reached version 149.0.7827.53 or later. If auto-update is disabled for operational reasons, prioritize this update. Test in a limited environment first if your organization has custom extensions that may be affected by the policy enforcement change.
Detection guidance
Monitor for unexpected extension installations, particularly outside of managed app deployment processes. Review Chrome extension logs for extensions requesting excessive cross-origin permissions or installed from untrusted sources. Endpoint detection and response (EDR) tools can flag suspicious extension behavior. Additionally, check browser console logs and DevTools activity for unusual data exfiltration patterns. Extension marketplace reviews and user reports of unexpected data access may surface active exploitation.
Why prioritize this
While the CVSS score is moderate (4.3), the vulnerability warrants timely patching because it enables confidentiality breaches through a commonly exploited attack vector: malicious extensions. Organizations relying on Chrome for handling sensitive data should prioritize this update. The lack of active exploitation in the wild (no KEV status) provides a window to patch proactively before attackers mature campaigns.
Risk score, explained
CVSS 4.3 (Medium) reflects a low-complexity network attack requiring user interaction and resulting in confidentiality loss only—no integrity or availability impact. The vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N captures that the attack is network-reachable, requires no privileges, but does need the user to install the extension. The lack of scope change (S:U) and limited impact (C:L only) keep the score below 5.0, but the confidentiality risk in multi-user or high-data-exposure environments justifies not dismissing this as low-priority.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. An attacker must convince a user to install a malicious Chrome extension. There is no network-based or zero-click exploitation path. This significantly raises the bar for mass exploitation but does not eliminate risk, particularly in targeted campaigns or social engineering scenarios.
Does updating Chrome automatically protect me, or do I need to do anything else?
Updating to Chrome 149.0.7827.53 or later patches the underlying DevTools policy gap. However, if a malicious extension is already installed, updating Chrome alone does not remove it. Review and remove any suspicious extensions manually or via organizational deployment policies. Enable managed extension policies to prevent unauthorized installation in the future.
Are organizations using Chromebooks affected differently?
Chromebooks also run Google Chrome and are affected by the same vulnerability. Chromebook fleet management allows centralized patching and extension policy enforcement, which often provides stronger controls than traditional Windows or macOS deployments. Verify that Chrome OS auto-update is enabled and that extension policies are enforced.
Why is this not marked as a Known Exploited Vulnerability (KEV)?
The vulnerability was published on June 4, 2026, and has not yet been added to CISA's KEV catalog, indicating no confirmed active exploitation in the wild as of the KEV publication date. This does not mean exploitation is impossible—only that it has not been widely observed. Proactive patching is still recommended.
This analysis is based on official CVE and Chromium security advisory data as of the publication date. Patch version numbers, affected product versions, and vulnerability details must be verified against the official Google Chrome security advisory and vendor guidance before deployment. SEC.co does not provide guarantee of exploit availability, patch timing, or organizational compatibility. Security teams should conduct their own risk assessment based on their specific Chrome deployment architecture and data protection requirements. This document is for informational purposes and does not constitute security advice tailored to any particular organization. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11197MEDIUMChrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53