MEDIUM 4.3

CVE-2026-11216: Chrome File Input UI Spoofing – Patch to 149.0.7827.53

Google Chrome contains a flaw in how it displays security warnings for file input operations. An attacker can craft a malicious webpage that tricks users into performing specific mouse or keyboard actions—such as clicking or dragging—that trigger the file picker dialog. By manipulating the visual presentation of this dialog, the attacker can deceive the user about what action they're performing, potentially leading them to upload sensitive files or authorize unintended operations. This is a user-interaction vulnerability: it requires the attacker to convince the user to engage in the specific gestures, but once they do, the spoofed UI can create false impression of legitimacy.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-451
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Incorrect security UI in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11216 is a UI spoofing vulnerability stemming from incorrect security UI implementation in Chrome's file input handling. The vulnerability resides in CWE-451 (User Interface (UI) Misrepresentation of Critical Information), allowing remote attackers to craft HTML pages that misrepresent the security context of file selection operations. The flaw affects Chrome versions prior to 149.0.7827.53. By exploiting timing, visual overlap, or state confusion in the file picker UI, an attacker can present false information to the user—for instance, hiding the true origin of the file request or masking the destination of uploaded data. The attack vector is network-based with low complexity and requires user interaction; no elevated privileges are needed.

Business impact

For most users, the direct risk is moderate: individual data exfiltration or unauthorized file uploads via social engineering. For enterprises, the concern centers on user training effectiveness and endpoint isolation. If an attacker targets employees with access to sensitive files—credentials, proprietary documents, customer data—a successful UI spoofing attack can bypass security awareness. However, this is not a zero-click vulnerability; it demands active user participation in a deceptive scenario. Organizations should assess the likelihood of their user base falling for such attacks and factor that into incident response readiness and endpoint monitoring.

Affected systems

The vulnerability affects Google Chrome on all major platforms: Windows, macOS, and Linux. Any system running Chrome versions prior to 149.0.7827.53 is vulnerable. Users of Chromium-based browsers (Edge, Opera, Brave, etc.) built from affected Chromium versions should also verify their patch status. The underlying platforms (Windows, macOS, Linux kernel) are not themselves vulnerable; only Chrome's UI layer is affected.

Exploitability

Exploitation requires a remote attacker to host a crafted HTML page and persuade a user to visit it. The user must then perform specific gestures—typically clicking or interacting with a file input element in a way that triggers Chrome's file picker. The attacker cannot force these actions; social engineering is essential. Once the user engages, the spoofed UI can misrepresent what is happening, potentially leading to unintended file uploads. The attack is repeatable and not patched in older versions, making it a persistent threat for any users who remain on unpatched Chrome builds. Public tools or detailed PoC code are not widely known, but the vulnerability is conceptually straightforward.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. For Windows users, this update is typically delivered automatically; manually check Chrome Settings > About to trigger an immediate update if needed. macOS and Linux users should verify they are running the latest stable version. Organizations should enforce Chrome update policies via device management platforms (MDM/EMM) and confirm that automatic updates are enabled. Legacy or air-gapped environments should schedule manual patching. There is no workaround that disables file input functionality while maintaining browser usability, so patching is the only remediation.

Patch guidance

Update Chrome to 149.0.7827.53 or later as soon as feasible. Priority should be high for systems where users handle sensitive data or interact with untrusted websites. Verify the update in Chrome's About menu (Settings > About Chrome > should auto-update to the patched version). For enterprise deployments, use Google's official Chrome release notes and version tracking to confirm patch availability in your update channel. If your organization uses a managed Chrome release schedule, coordinate with system administrators to expedite the rollout for high-risk user groups.

Detection guidance

Monitor for suspicious file uploads or unauthorized data exfiltration tied to user sessions immediately following visits to unfamiliar or untrusted domains. Review browser history and file-upload logs for patterns of unexpected file operations. Organizations with endpoint detection and response (EDR) tools should configure rules to alert on sudden file access or upload activity that correlates with Chrome usage on suspicious sites. Because the vulnerability requires user interaction, behavioral signals (e.g., files accessed but not normally accessed by that user) may be more valuable than network signals alone. Note that this vulnerability does not leave obvious forensic traces unless combined with data loss; focus on user reports of confusing UI behavior.

Why prioritize this

Although the CVSS score is 4.3 (MEDIUM) and the Chromium severity is LOW, the vulnerability warrants timely patching because: (1) exploitation is trivial from an attacker perspective—no special tools or zero-day techniques required; (2) the attack surface is broad, affecting all Chrome users who visit untrusted sites; (3) UI spoofing vulnerabilities are a known vector for credential harvesting and data theft in the wild; (4) Chrome updates are frequent and low-friction, making patching operationally easy. However, this is not a critical vulnerability and does not merit emergency response if your update cadence is monthly or shorter.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-based attack with low complexity and required user interaction, no privilege escalation, and impact limited to integrity (spoofing does not directly cause confidentiality loss or availability impact—the user must be tricked into uploading a file, not having files stolen from them). The 'MEDIUM' severity label in the CVSS framework is conservative; the Chromium project assigned it 'Low' because the attack requires user cooperation and does not expose system-level secrets. For most organizations, the practical risk is lower than 4.3 suggests, but context matters: if your user base is frequently targeted by phishing or social engineering, the risk is higher.

Frequently asked questions

Do I need to immediately patch if I'm on an older version of Chrome?

Not if you cannot visit untrusted websites. However, because the internet is unpredictable and compromised legitimate sites can host malicious HTML, it is prudent to patch within your normal update window (typically monthly). If users in your organization interact with high-risk content or external partners, prioritize patching higher.

Will Chrome automatically update, or do I need to do it manually?

Chrome on Windows, macOS, and Linux checks for updates automatically. Most users will receive the patched version 149.0.7827.53 without intervention. To force an update, open Settings > About Chrome; the browser will check for updates and apply them. Some enterprise deployments use managed update policies that may delay patching, so confirm with your IT department if you are in a corporate environment.

What is the difference between the CVSS score (4.3) and the Chromium severity (Low)?

CVSS is a standardized scoring method that focuses on technical exploitability and impact; a score of 4.3 places this in the MEDIUM bucket. Chromium's severity assessment is subjective and considers real-world threat likelihood, user prevalence, and defense-in-depth. Low severity means Chromium believes the risk is manageable without emergency response. Both assessments are valid; use CVSS for standardized risk frameworks and Chromium severity for Chrome-specific patching priorities.

Can I defend against this by disabling file uploads or JavaScript?

Disabling JavaScript would break nearly all modern websites. There is no practical browser setting that mitigates this vulnerability while preserving usability. Patching is the only reliable fix. User training on recognizing suspicious UI behavior is a helpful secondary control but cannot replace patching.

This analysis is based on publicly available CVE data as of June 2026. CVSS and vulnerability classifications are provided by the CVE and Chromium projects respectively and are subject to interpretation. Patch versions and availability should be verified against Google's official Chrome release notes and your organization's update policy. This vulnerability requires user interaction and is not currently tracked in the CISA KEV catalog. Organizations should validate patch deployment and test in their environment before widespread rollout. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting official vendor advisories and your security team for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).