LOW 3.1

CVE-2026-11251: Chrome Password Manager Policy Enforcement Flaw

A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11251 is an insufficient policy enforcement vulnerability (CWE-20) in the Password Manager component of Google Chrome prior to version 149.0.7827.53. The flaw permits a threat actor with an existing renderer process compromise to circumvent discretionary access controls (DAC) through a specially crafted HTML page, potentially enabling unauthorized disclosure of stored authentication credentials. The attack requires user interaction and network accessibility to a malicious page. No privilege escalation or integrity compromise is possible through this vector alone.

Business impact

Password manager bypasses represent a medium business concern despite the low CVSS score, because successful exploitation exposes an organization's credential vault if a renderer compromise occurs. This could cascade into lateral movement, account takeover, and unauthorized access to downstream systems. The practical risk depends on whether your organization has enforced Chrome as a standard browser and how thoroughly you isolate renderer compromises via sandboxing and network segmentation.

Affected systems

The vulnerability affects Google Chrome on all major platforms: Windows, macOS, and Linux systems running Chrome version 149.0.7827.53 or earlier. Android Chrome is not mentioned in the advisory. The underlying Chromium engine is shared across multiple browser vendors and Electron-based applications, so derivative products built on affected Chromium versions should also be reviewed. Verify patch status across your browser deployment inventory.

Exploitability

Exploitation is not trivial and requires a multi-stage attack: First, the attacker must compromise Chrome's renderer process through a separate vulnerability or attack method (sandbox escape, use-after-free, etc.). Then, the victim must visit a malicious HTML page crafted to trigger the policy enforcement gap. Finally, user interaction is required. This is not a remote code execution or standalone renderer bypass; it's a post-compromise privacy leakage issue. Active exploitation in the wild is not documented (KEV status: no).

Remediation

Update Chrome to version 149.0.7827.53 or later on all platforms. The patch hardens policy enforcement within the password manager to prevent unauthorized access from a compromised renderer. Organizations should automate Chrome updates via management tools (Google Admin, Intune, or equivalent) and verify completion across the fleet. Secondary controls—such as enforcing password manager integration restrictions or limiting renderer permissions via security policies—can provide additional defense layers.

Patch guidance

Deploy Chrome version 149.0.7827.53 or newer via your browser management platform. Verify that auto-update is enabled for Chrome; if manual deployment is required, prioritize systems where users store sensitive credentials in Chrome's built-in password manager. Test the patch in a non-production environment first if you have custom enterprise policies or extensions that interact with the password manager. No rollback issues have been reported.

Detection guidance

Monitor Chrome version inventory to identify systems running versions prior to 149.0.7827.53. Check audit logs for abnormal password manager access patterns or credential exfiltration attempts if you suspect a renderer compromise has occurred in your environment. Network detection is difficult because the attack uses only crafted HTML; focus instead on identifying the prerequisite renderer compromise through memory dumps, crash logs, or sandbox escape indicators. Endpoint detection and response (EDR) tools should monitor for processes that attempt to read Chrome's credential storage directly.

Why prioritize this

Although the CVSS score is low (3.1), patching is important for any organization using Chrome with stored credentials. Prioritize based on your actual use of Chrome's password manager and your risk tolerance for credential disclosure. If you enforce a centralized password manager (Okta, 1Password, LastPass) and discourage use of Chrome's native storage, the practical risk is reduced. If Chrome's password manager is widely used, treat this as a normal-priority patch cycle update. This is not an emergency but should not be deferred beyond monthly maintenance windows.

Risk score, explained

The CVSS 3.1 score of 3.1 (LOW) reflects the attack's constraints: high complexity (AC:H) due to the need for a pre-existing renderer compromise, requirement for user interaction (UI:R), and limited impact scope (confidentiality only, no integrity or availability damage). The network attack vector (AV:N) acknowledges that the malicious HTML can be delivered remotely, but the prerequisite renderer compromise anchors the difficulty significantly higher than a direct vulnerability would be. The score appropriately downgrades an otherwise high-impact credential disclosure to low severity because of its strict exploitation preconditions.

Frequently asked questions

Do I need to worry about this if I don't use Chrome's password manager?

No. If your users rely on a dedicated password manager or do not store credentials in Chrome, this vulnerability poses minimal risk. Verify your browser policies to confirm that Chrome's built-in password manager is either disabled or unused in your environment.

Can this vulnerability be exploited without first compromising the renderer?

No. The attacker must already have control of Chrome's renderer process. This is a post-compromise credential disclosure issue, not a standalone remote code execution vector. If an attacker can compromise the renderer, they likely have broader system access already.

Is this vulnerability actively being exploited?

No. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public proof-of-concept or active exploitation has been disclosed. Patching should follow your normal monthly update cycle unless you have specific indicators of renderer compromise in your environment.

Which Chrome versions are affected?

All versions of Chrome prior to 149.0.7827.53 are vulnerable. Check your current Chrome version by navigating to Chrome menu > About Chrome. The browser will report its version and automatically check for updates.

This analysis is provided for informational purposes and represents the current understanding of CVE-2026-11251 as of the publication date. Security threats and vendor responses evolve rapidly. Verify all patch versions, affected product lists, and exploit status against official vendor advisories from Google Chrome Security before taking remediation actions. Conduct internal risk assessments specific to your environment, including your actual use of Chrome's password manager and any compensating controls. This vulnerability analysis does not constitute professional security advice; consult your organization's security team and legal counsel for deployment decisions. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and shall not be liable for any damages arising from reliance on this information. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).