MEDIUM 6.5

CVE-2026-11258: Chrome File System Access Control Bypass (CVSS 6.5)

Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles file system access permissions. An attacker can craft a malicious webpage that, when visited, tricks users into performing specific clicks or gestures that bypass the browser's normal access controls. This allows the attacker to gain unauthorized access to files on the user's computer that would normally be protected. The vulnerability requires user interaction and social engineering to exploit, but once triggered, could expose sensitive files.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-284
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in File System Access in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11258 stems from an inappropriate implementation of discretionary access control (DAC) enforcement in Chrome's File System Access API. The vulnerability resides in the browser's permission model for file access, which relies on user confirmation through specific UI gestures. A remote attacker can craft HTML content that manipulates these UI interactions, causing the browser to grant file access permissions without proper validation. The attack vector is network-based with low attack complexity; exploitation depends on user interaction (UI:R). The issue affects the confidentiality and integrity boundary of the file system by allowing unauthorized file reads or modifications through a Web API that should enforce stronger access gates.

Business impact

Organizations where users browse the web on company devices face a direct risk of unauthorized file exfiltration. Attackers could craft targeted phishing campaigns or compromised websites that steal sensitive documents, configuration files, or credentials stored on affected machines. The impact is particularly acute for knowledge workers who use Chrome as their primary browser and may be accustomed to granting permissions without scrutiny. Incident response teams should anticipate potential data loss incidents tied to this vulnerability if unpatched systems are compromised. The requirement for user interaction slightly lowers risk compared to wormable flaws, but does not eliminate it given social engineering effectiveness.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected component. Since Chrome is cross-platform, the vulnerability affects Windows, macOS, and Linux systems running vulnerable versions. The listed vendor products (Windows, macOS, Linux kernel) indicate that the underlying operating systems are affected only insofar as Chrome runs on them; the root cause is in Chrome itself, not in OS-level code. Users and administrators managing Chrome deployments across heterogeneous environments must prioritize updates equally across all platforms.

Exploitability

Exploitation requires a remote attacker to convince a user to visit a crafted webpage and perform specific UI gestures (clicks, confirmations, or interactions with permission prompts). This is a moderate bar compared to zero-interaction flaws, but well within reach of phishing, watering-hole attacks, or compromised ad networks. The low attack complexity and lack of privilege requirements mean that any unauthenticated attacker can attempt exploitation. Chromium's public security severity rating of 'Low' reflects the researcher's assessment of real-world risk, though the assigned CVSS 3.1 score of 6.5 (MEDIUM) accounts for the integrity impact potential. The vulnerability is not known to be in active exploitation (not on the CISA KEV list as of the publication date), but the gap between disclosure and patch deployment represents a window of opportunity for threat actors.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected platforms (Windows, macOS, Linux). Chrome auto-updates are enabled by default for most users, but organizations with managed deployments should verify update status and force deployment if necessary. Verify the installed version via chrome://version/ or Settings > About Google Chrome. For enterprises, use Google Chrome Policy settings to enforce the minimum version requirement and monitor compliance. Until patched, users should be cautious with permission prompts in the browser and avoid clicking through unfamiliar or suspicious permission requests.

Patch guidance

Google has released Chrome 149.0.7827.53 as the stable release containing the fix. Update via the standard Chrome update mechanism, which typically checks for updates every few hours. On Windows and macOS, users may be prompted to relaunch the browser to apply updates. On Linux, the update availability depends on the distribution's package manager; verify with your vendor's Chrome release channel. Enterprise administrators should consult Google's Chrome Enterprise release notes and consider staged rollouts to validate compatibility with internal applications. No additional configuration changes are required post-patch; the fix is transparent to end users.

Detection guidance

Monitor for signs of user interaction with suspicious HTML pages that request file system access permissions, particularly if followed by unexpected file reads or network exfiltration. Endpoint detection and response (EDR) tools should alert on Chrome process spawning with unusual file I/O patterns, especially access to sensitive directories (Documents, Downloads, Desktop) immediately after browser activity. Network security tools may detect exfiltration of files matching common sensitive patterns (PII, credentials, source code). Browser history analysis and user reporting are valuable: ask users to review their recent permission prompts if they notice unusual activity. Note that the attack leverages legitimate file system access APIs, so detection requires behavioral correlation rather than signature-based rules.

Why prioritize this

This vulnerability merits prompt patching because it enables integrity and confidentiality violations of user files with relatively low user friction. While Chromium rated it 'Low' severity, the CVSS score of 6.5 reflects the real-world impact of unauthorized file access. The widespread use of Chrome and the cross-platform nature of the vulnerability mean that the absolute number of affected assets is very high. The lack of KEV listing and active exploitation is a small mitigating factor, but should not delay remediation given that proof-of-concept development is straightforward for motivated attackers. Organizations with sensitive data on user devices (finance, healthcare, legal, research) should prioritize this above lower-impact flaws.

Risk score, explained

CVSS 3.1 score of 6.5 (MEDIUM) reflects: network attack vector (AV:N) allowing remote exploitation, low attack complexity (AC:L) requiring no special conditions, no privilege escalation needed (PR:N), but requiring user interaction (UI:R). The vector assigns no confidentiality impact (C:N) on the assumption that file read is not the primary threat model, but high integrity impact (I:H) recognizing that the attacker can modify files or cause the user to grant unintended access. No availability impact (A:N) since the attack does not cause denial of service. The MEDIUM rating is proportional to a real-world threat of file tampering via social engineering, though organizations handling highly sensitive data should treat this as a higher priority than the numerical score alone suggests.

Frequently asked questions

Can users be infected with malware via this vulnerability without clicking anything?

No. The vulnerability requires specific UI gestures—such as clicking a permission prompt or confirming a dialog—to succeed. An attacker cannot silently grant themselves file access; they must trick the user into actively participating in the permission grant. This is why the CVSS metric includes 'User Interaction Required' (UI:R).

Does updating Chrome automatically fix the vulnerability for all platforms?

Chrome's auto-update feature applies updates to Windows, macOS, and Linux systems, typically within a few hours of release. Most users will receive version 149.0.7827.53 or later automatically. Enterprise administrators should verify rollout status using Chrome Policy tools or by checking installed versions on a sample of machines. Verify with chrome://version/ to confirm you are on the patched version.

If my organization uses Chromebooks or Chrome managed by Google Workspace, am I automatically protected?

Google Workspace-managed devices and Chromebooks benefit from more aggressive auto-update policies. Chromebooks in particular run Chrome OS, which updates more frequently and comprehensively. However, verify with your Google Workspace admin console that the device policy enforces the latest Chrome version. Managed browsers update faster than consumer Chrome, but do not assume protection until you verify the actual version on devices.

Could an attacker use this to steal passwords or authentication tokens stored in Chrome?

The vulnerability allows unauthorized file system access via the File System Access API, which targets the user's local files. Chrome's password manager and stored credentials are protected by additional security mechanisms (encryption, secure storage) separate from file system access. While an attacker could theoretically steal files that contain exported passwords or session tokens if the user has saved them to disk, the vulnerability itself does not directly compromise Chrome's built-in credential storage.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. SEC.co does not guarantee the accuracy of third-party vendor advisories or patch availability timelines. Organizations should verify patch status against official Google Chrome release notes and test patches in their environment before production deployment. This vulnerability analysis does not constitute legal advice or compliance guidance; consult your organization's security and legal teams for policy implications. No exploit code or weaponized proof-of-concept is provided or endorsed by this analysis. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).