CVE-2026-11233: Chrome FoldableAPIs Same-Origin Policy Bypass (Medium, 4.7 CVSS)
CVE-2026-11233 is a same-origin policy bypass vulnerability in Google Chrome's FoldableAPIs feature. An attacker who has already gained control of Chrome's renderer process—the component that executes web page code—can use a specially crafted HTML page to break through Chrome's security boundary and access data from websites the user visits. This requires the attacker to have already compromised the renderer, making it a secondary exploit rather than a direct entry point. The vulnerability affects Chrome versions prior to 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient policy enforcement in the FoldableAPIs implementation within Chromium. FoldableAPIs are a web standards feature for detecting and responding to foldable device hardware states. The flaw allows an attacker with renderer process compromise to craft HTML that circumvents same-origin policy (SOP) enforcement, potentially enabling cross-origin data access. This is classified as improper input validation (CWE-20). The attack requires user interaction—the user must visit the malicious page—and results in confidentiality impact only; integrity and availability are not affected.
Business impact
For most organizations, the business risk is limited because exploitation requires two conditions: an attacker must first compromise the Chrome renderer process through another vulnerability, and then trick a user into visiting a specially crafted webpage. This is a chaining scenario rather than a direct attack vector. However, in environments where users regularly visit untrusted content or where sophisticated multi-stage attacks are a concern, the ability to bypass same-origin policy increases the cost of renderer compromise by enabling data exfiltration. Confidential data accessible via the user's browser cookies or stored credentials could be at risk.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.53. While the vendor list includes Apple macOS, Linux Kernel, and Microsoft Windows, these are the operating systems Chrome runs on; the vulnerability is specific to Chrome itself and its FoldableAPIs implementation. Any organization deploying Chrome—particularly on managed devices or in security-sensitive roles—should assess their Chrome version inventory. Mobile Chrome versions derived from the same Chromium codebase may also be affected; verify the specific version status from Google's security advisories.
Exploitability
Exploitability is rated as moderate but requires a prerequisite attack. The CVSS vector reflects that network access and no special privileges are needed, but user interaction is required and the attack scope extends beyond the vulnerable component. Critically, an attacker must have already compromised the renderer process through an unrelated vulnerability. The barrier to exploitation is therefore two-fold: first gaining renderer access, then luring a user to the malicious page. Public exploit code is not known to exist. The vulnerability is not on the CISA Known Exploited Vulnerabilities list.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. This is a straightforward patch that addresses the policy enforcement gap in FoldableAPIs. Chrome's auto-update mechanism should deliver this patch automatically; verify completion by checking Chrome's About page (chrome://about) to confirm the active version. Organizations managing Chrome fleet-wide should push this update through their standard software deployment channels and confirm adoption across endpoints before deprioritizing.
Patch guidance
For desktop Chrome: Enable automatic updates (the default) and allow the browser to restart, or manually navigate to chrome://settings/help to check for and apply updates immediately. For managed Chrome deployments, use your device management solution (e.g., Google Admin Console, Intune, or third-party MDM) to push version 149.0.7827.53 or later. For Chrome OS devices, patching is automatic and requires no administrator intervention. Test the patch in a small pilot group before fleet-wide deployment if your change management policy requires it, though this is a straightforward security update with minimal regression risk.
Detection guidance
Monitor Chrome version inventory across your organization using endpoint management tools or browser telemetry. Chrome auto-update should reduce the window of vulnerability, but verify actual version adoption rather than relying on deployment signals alone. Detection of active exploitation is challenging without renderer crash logs or network-based behavioral analysis; focus on version compliance as the primary control. If you operate a web service, consider monitoring for unusual cross-origin access patterns or anomalous cookie access from your security event logs, though this would only be visible if exploitation occurs against your specific domain. Network-based detection is not practical for this vulnerability.
Why prioritize this
While the CVSS score is 4.7 (Medium), the practical risk is lower due to the prerequisite renderer compromise requirement. Prioritize this as a standard security update rather than a critical emergency patch. Organizations running Chrome should patch within their standard update cycles (typically 2–4 weeks). However, if your organization is actively defending against targeted attacks or operates high-value targets, prioritize this patch sooner to reduce the attack surface available to sophisticated adversaries who have already achieved renderer compromise.
Risk score, explained
The CVSS 3.1 score of 4.7 reflects a Medium severity rating. The score is driven by network accessibility (AV:N), low attack complexity (AC:L), and no privilege requirement (PR:N), but is tempered by the requirement for user interaction (UI:R) and changed scope (S:C), combined with only confidentiality impact (C:L) and no integrity or availability impact (I:N, A:N). This is a reasonable assessment given that exploitation requires pre-existing renderer compromise. The score does not capture the prerequisite nature of the attack; organizations should not over-weight this number without considering the two-stage attack requirement.
Frequently asked questions
Do I need to prioritize this as an emergency patch?
No. While the vulnerability enables same-origin policy bypass, it requires an attacker to have already compromised your Chrome renderer through another vulnerability first. Treat this as a routine security update within your standard patch management cycle (2–4 weeks), unless you are actively defending against targeted attacks targeting your organization.
What is the FoldableAPIs feature and who uses it?
FoldableAPIs are a web standards API for detecting foldable device hardware states (like screen fold position on Samsung Galaxy Z devices). Most organizations and websites do not yet implement this feature. Unless you explicitly use foldable device detection on your web properties or extensively test on foldable hardware, this vulnerability has limited direct attack surface for you.
If our renderer is already compromised, what can an attacker do with same-origin policy bypass?
An attacker can exfiltrate data that would normally be protected by same-origin policy—such as cookies, session tokens, or data stored on other websites the user visits. They cannot execute arbitrary system commands or break out of the browser sandbox with this vulnerability alone. The damage is primarily confidentiality-related and depends on what sensitive data is accessible to the user's browser session.
Will Chrome auto-update protect us?
Yes, provided auto-update is enabled (the default for most users) and devices restart or update in a timely manner. However, verify actual version adoption on your managed devices rather than assuming deployment signals. Use your endpoint management tools to confirm version 149.0.7827.53 or later is active across your fleet.
This analysis is provided for informational purposes and reflects publicly available information current as of the publication date. Vulnerability data, including CVSS scores and vendor advisories, is subject to change. Organizations should verify patch availability and version numbers directly from Google's official security advisories and Chrome release notes. This summary does not constitute professional security advice; consult your security team or a professional advisor for guidance specific to your environment. No exploit code or weaponized proof-of-concept information is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls