CVE-2026-11243: Chrome Downloads Navigation Bypass Vulnerability
Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles downloads that allows an attacker to bypass navigation restrictions by serving a specially crafted web page. When a user visits the malicious page, the browser's normal safeguards that prevent unwanted navigation can be circumvented, potentially allowing redirection to unintended destinations or other restricted actions. The vulnerability requires user interaction (clicking or visiting a page) and affects Chrome on Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
- Weaknesses (CWE)
- CWE-346
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11243 stems from an inappropriate implementation in Chrome's Downloads component that fails to properly enforce navigation restrictions. The vulnerability is classified as CWE-346 (Origin Validation Error), indicating that the browser does not correctly validate or enforce origin-based security policies when processing download-related navigation events. An attacker can craft HTML content that exploits this validation gap, allowing navigation that should otherwise be blocked by Chrome's same-origin policy or related security boundaries. The Chromium project rated this as Low severity in their own assessment, though the CVSS 3.1 score of 5.4 reflects moderate practical impact when considering network accessibility and user interaction requirements.
Business impact
Organizations relying on Chrome for secure web browsing face a modest but real increase in attack surface. Users could be redirected to malicious sites or experience unintended navigation during download operations, potentially enabling phishing, malware distribution, or social engineering attacks. The requirement for user interaction limits mass exploitation, but targeted campaigns against specific organizations remain feasible. For enterprises managing Chrome deployments, this represents a medium-priority patch that should be scheduled within standard update cycles, particularly for roles handling sensitive downloads or accessing restricted internal resources.
Affected systems
The vulnerability affects Google Chrome across multiple platforms: Windows, macOS, and Linux systems running Chrome versions prior to 149.0.7827.53. All users of affected Chrome versions are at risk when visiting untrusted websites. The issue does not appear to affect the Chrome browser on Android or other Chromium-based browsers at this time, though downstream projects should verify their own release cycles against the upstream patch.
Exploitability
Exploitation requires a user to visit a malicious or compromised website containing the crafted HTML payload. An attacker cannot exploit this vulnerability through passive network observation or without user action. The attack surface is broad—any website an employee visits could potentially host the exploit—but the barrier to exploitation is moderate due to the user interaction requirement. The low Chromium severity rating suggests the practical impact is constrained, possibly because the bypassed restrictions have limited consequence or are difficult to chain with other flaws. No public exploit code or widespread proof-of-concept is known at this time.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Automated update mechanisms in Chrome typically deploy patches within days of release; verify that auto-updates are enabled in your environment. Organizations using managed deployments should validate version compliance via endpoint management tools and enforce timely updates through Group Policy (Windows) or Mobile Device Management (macOS/Linux). No workaround is available; patching is the definitive remediation.
Patch guidance
Verify that your Chrome installation is running version 149.0.7827.53 or newer by checking Settings > About Chrome, which will display the current version and initiate an update if one is available. For enterprise deployments, use Chrome's policy templates to push updates or enforce minimum version requirements. Test the patched version in your environment to confirm compatibility with critical web applications before rolling out broadly. Given the moderate CVSS score and non-KEV status, this patch can be scheduled within your normal patch cadence but should not be deferred beyond two weeks.
Detection guidance
Monitor Chrome version compliance across your fleet using endpoint detection and response (EDR) tools or Mobile Device Management (MDM) solutions. Inspect browser logs for unusual navigation patterns or redirects originating from download operations, though such logs are often limited in Chrome's default configuration. Consider enforcing additional network-layer controls such as DNS filtering or web proxies to block known malicious domains. Since the vulnerability exploits navigation restrictions, SIEM rules flagging unexpected cross-origin navigations initiated from download contexts may provide supplementary detection.
Why prioritize this
This vulnerability merits medium priority due to its CVSS 5.4 score, requirement for user interaction, and absence from the CISA Known Exploited Vulnerabilities catalog. It is not critical or emergency-level, allowing scheduling within normal patch windows. However, it should not be ignored or deferred indefinitely, as the network accessibility and ease of exploitation (visiting a web page) mean that opportunistic threat actors may eventually develop working exploits. Organizations should prioritize this for patching within 2–3 weeks, especially for roles with high web exposure or those handling downloads from external sources.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects an attack vector that is network-accessible, requires no special privileges, and can be exploited by an unauthenticated attacker via a simple HTML page. However, the score is mitigated by the User Interaction requirement and the limited scope of impact (low confidentiality and availability impact, no integrity impact). The absence from KEV and the Chromium project's own Low severity rating suggest that real-world exploitation has not yet been weaponized or actively exploited, and that the practical consequences of a successful attack are constrained. The score appropriately positions this as a routine but non-negligible patch priority.
Frequently asked questions
Can an attacker exploit this vulnerability without the user visiting a website?
No. Exploitation requires a user to visit a malicious or compromised webpage containing the crafted HTML payload. An attacker cannot trigger the vulnerability through email attachments, network traffic inspection, or any passive vector.
Does this vulnerability allow remote code execution or data theft?
No. The vulnerability permits bypassing navigation restrictions, which could lead to unintended redirection or access to restricted destinations. It does not grant code execution or direct access to sensitive user data. However, it could be chained with social engineering or other flaws to increase harm.
Is this vulnerability being actively exploited in the wild?
There is no evidence of active exploitation at this time. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept code or widespread attacks have been reported. Standard precautions and timely patching are sufficient.
Do I need to patch immediately, or can I wait for my normal update cycle?
You can follow your normal patch cycle, but do not defer patching beyond 2–3 weeks. The moderate CVSS score and user interaction requirement make this non-critical, but the network accessibility and broad attack surface warrant timely remediation.
This analysis is provided for informational purposes to support security decision-making. SEC.co does not guarantee the accuracy, completeness, or timeliness of vulnerability details and recommends verifying all patch versions and affected product lists against official vendor advisories before deployment. Security teams should conduct their own risk assessment based on their environment, threat landscape, and organizational policies. No information herein constitutes legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11132MEDIUMChrome Same-Origin Policy Bypass in Paint Component