CVE-2026-11214: Google Chrome iOS Data Leak Vulnerability
A flaw in Google Chrome for iOS allows attackers to trick users into visiting a malicious website that can leak data from other websites the user has open in their browser. The attacker needs the victim to interact with the malicious page (such as clicking a link), but no special technical skills or authentication are required on the attacker's side. This is a cross-origin data leak vulnerability affecting Chrome on iPhones and iPads running iOS.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346, CWE-352
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11214 exploits an inappropriate implementation of cross-origin protections in Chrome for iOS, specifically in how the browser handles data isolation between different websites. The vulnerability involves both origin validation failures (CWE-346) and missing cross-site request forgery protections (CWE-352). A remote attacker can craft a malicious HTML page that, when visited by a user, exfiltrates sensitive data from other origins the user is actively browsing. The attack requires user interaction but does not require the victim to be authenticated to any particular service, making it broadly exploitable.
Business impact
Organizations whose users frequently access sensitive web applications on iPhones (banking portals, cloud services, internal dashboards) face exposure of authentication tokens, session data, or personally identifiable information. The vulnerability is particularly concerning in bring-your-own-device (BYOD) environments and organizations with mobile-first workflows. Data exfiltration could lead to account takeovers, fraud, regulatory violations (GDPR, HIPAA), and reputational harm. The medium severity reflects high confidentiality impact but no direct integrity or availability risk.
Affected systems
Google Chrome for iOS versions prior to 149.0.7827.53 are vulnerable. The vulnerability exists on Apple iPhone OS (iOS) devices running affected Chrome versions. Users on iPad also face risk if running the vulnerable Chrome version. This is iOS-specific; the vulnerability does not affect Chrome on Android, macOS, Windows, or Linux based on the disclosed scope.
Exploitability
The vulnerability is directly exploitable without authentication or special privileges. Attack complexity is low: an attacker simply hosts a malicious webpage and lures users to visit it (via phishing, ad injection, social engineering, etc.). User interaction is required—the user must navigate to the attacker's page or interact with it—but this is a reasonable prerequisite for phishing. No zero-click exploitation is implied. The CVSS vector reflects this: network-accessible, low complexity, requiring user interaction, but with no privilege elevation needed.
Remediation
Immediate patching is critical for any organization with iOS users accessing sensitive data through Chrome. Users should update Google Chrome on their iOS devices to version 149.0.7827.53 or later. For organizations, enforce Chrome auto-updates via Mobile Device Management (MDM) policies and consider blocking or restricting Chrome access to sensitive internal applications until all devices are patched. Alternatively, recommend users switch to Safari (which is updated with iOS) or other browsers until patch deployment is verified.
Patch guidance
Google Chrome for iOS is typically updated automatically; however, verify that users have enabled automatic updates in the App Store settings. IT teams managing iOS devices should use MDM solutions to enforce minimum Chrome version 149.0.7827.53 or higher. Check device compliance dashboards to identify systems still running older versions and deploy remediation workflows. Patch this within 5–7 days given the medium severity and ease of exploitation via social engineering.
Detection guidance
Detection is challenging at the endpoint level since exploitation appears as normal HTTPS traffic to a benign-looking webpage. Monitor for anomalous outbound data exfiltration patterns in network logs. Web application firewalls should watch for suspicious Cross-Origin Resource Sharing (CORS) requests or XHR patterns that deviate from expected application behavior. User reports of unexpected authentication logouts or account activity can signal successful exploitation. Consider deploying browser isolation or sandboxing for high-risk users and sensitive web applications.
Why prioritize this
Although marked as medium severity with no active exploitation in the wild (KEV status: not listed), the confluence of low attack complexity, high confidentiality impact, and reliance on user interaction—which is trivial for attackers to trigger via phishing—warrants rapid remediation. The iOS-specific scope limits immediate blast radius, but any organization with mobile workforce access to sensitive systems should treat this as high priority for patch deployment. The 13-day gap between publication and modification suggests active refinement; monitor for any elevation or proof-of-concept disclosure.
Risk score, explained
The CVSS 6.5 (Medium) score accurately reflects the vulnerability's risk. It combines high confidentiality impact (users can lose access to sensitive cross-origin data) with low attack complexity and no authentication requirement, balanced against the user interaction precondition. The lack of integrity or availability impact prevents a higher score. In practice, organizational risk depends on the prevalence of iOS Chrome use within your environment and the sensitivity of data accessible from affected users' browsers.
Frequently asked questions
Can my organization be exploited if we don't use Chrome on iOS?
No. This vulnerability is specific to Google Chrome running on Apple iOS devices (iPhones and iPads). If your organization only supports Safari, Android devices, or desktop browsers, you are not directly affected. However, if any employees use personal iPhones with Chrome to access corporate systems, they could be compromised.
Does the user know they're being attacked?
Not necessarily. The user visits what appears to be a normal website—perhaps a link in a phishing email or a compromised ad. In the background, the malicious page reads data from other browser tabs or windows the user has open. The attack is silent from the user's perspective unless they actively monitor their browser tabs.
What data can be stolen?
The vulnerability leaks data that resides in other origins (websites) the user is browsing. This typically includes session tokens, cookies (if not properly flagged as HttpOnly), authentication credentials, personal information displayed in web applications, and API responses. The scope depends on what the user has open in other tabs at the time of exploitation.
Is this in the known exploited vulnerabilities (KEV) list?
No. As of the published date, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog and shows no evidence of active wild exploitation. This makes it somewhat lower priority than actively exploited flaws, but not a signal to delay patching indefinitely.
This analysis is provided for informational purposes and should not be treated as legal or professional security advice. All patch version numbers and affected software versions cited herein are derived from the official CVE record and should be verified against vendor advisories before deployment. Organizations should conduct their own risk assessments and consult with internal security and compliance teams before taking remediation action. SEC.co makes no warranty regarding the completeness or accuracy of exploit code or threat intelligence beyond the official CVE details. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11194MEDIUMChrome Cross-Origin Data Leak Vulnerability – Patch Guidance
- CVE-2026-11195MEDIUMChrome MHTML Cross-Origin Data Leak – Patch Now
- CVE-2026-11200MEDIUMChrome WebRTC Cross-Origin Data Leakage Vulnerability
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw