MEDIUM 4.3

CVE-2026-11260: Google Chrome CSP Bypass in Permissions Handling

Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows attackers to bypass the browser's Content Security Policy (CSP) protections via a specially crafted webpage. While the underlying browser vulnerability severity is rated as low, the CVSS assessment elevates this to medium risk because it requires user interaction but could enable an attacker to execute unintended behavior or inject content that CSP should block. The issue affects Chrome on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-693
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an inappropriate implementation in Chrome's permission handling mechanism that fails to properly enforce Content Security Policy directives. An attacker can craft malicious HTML that exploits this permissions logic gap to bypass CSP restrictions, allowing injection of inline scripts or other content that policy headers should reject. The flaw is classified under CWE-693 (Incorrect Handling of Exceptional Conditions), indicating the browser does not adequately validate or handle edge cases in its CSP enforcement when permissions interact with content restrictions. No network privileges are required, and the vulnerability operates within the browser's normal security context without requiring user to grant additional permissions beyond normal browsing.

Business impact

This vulnerability primarily affects organizations that rely on Content Security Policy as a defense-in-depth control against cross-site scripting (XSS) and injection attacks. When users visit attacker-controlled or compromised websites, the CSP bypass could allow malicious scripts to execute in a context where policy rules should prevent them. For enterprises that depend on CSP to mitigate phishing payloads, credential theft, or malware distribution via web pages, this creates a meaningful security gap. The impact is limited by the fact that user interaction is required—the user must visit a malicious page—but this remains a plausible attack surface given social engineering and drive-by compromises.

Affected systems

The vulnerability affects Google Chrome browser installations prior to version 149.0.7827.53 running on Windows, macOS, and Linux operating systems. Any organization where Chrome is deployed as a supported or tolerated browser faces potential exposure. This includes enterprises using Chrome as a primary or secondary browser, as well as BYOD environments where Chrome usage cannot be entirely controlled.

Exploitability

The attack has a low complexity barrier: an attacker needs only to host or inject a crafted HTML page into a user's browsing session. User interaction is mandatory—the victim must visit the malicious page or click a link to it—which introduces friction but does not represent a high barrier in realistic attack scenarios involving phishing, watering holes, or compromised ad networks. There is no evidence this vulnerability has been actively exploited in the wild or included in public exploit databases, and it is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Weaponized proof-of-concept code does not appear to be widely available.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome on Windows, macOS, and Linux all receive patches through the same release cycle. Most Chrome installations update automatically; however, organizations managing Chrome deployment should verify patch application across their fleet. For users unable to update immediately, mitigating controls include disabling JavaScript in high-risk contexts, blocking access to known attacker-controlled domains, and enforcing strong CSP headers at the application level to add defense-in-depth even if the browser bypass occurs.

Patch guidance

Google has released Chrome 149.0.7827.53 to address this issue. Users should enable automatic updates or manually check Help > About Google Chrome to trigger the update process. Organizations managing Chrome via enterprise policies should test the patch in a staging environment and deploy via their Chrome management console (Google Admin, MDM, or ADMX policies) to ensure compatibility with internal web applications before rolling out to production. Verify patch application by confirming the version string in chrome://version or chrome://help.

Detection guidance

Detection at the endpoint level can focus on monitoring for Chrome versions below 149.0.7827.53 in asset inventories and vulnerability scanners. Web application firewalls and proxies may detect anomalous CSP bypass attempts through pattern analysis of requests that should trigger CSP violations but succeed; however, this requires baseline tuning. Organizations should audit CSP policies on internal applications to ensure they are robust and not overly permissive. Network detection of exploitation is challenging without behavioral anomalies; focus detection efforts on identifying unpatched Chrome instances in your environment and prioritizing their remediation.

Why prioritize this

Although the Chromium severity is low, the CVSS 3.1 score of 4.3 (medium) reflects the integrity risk posed by CSP bypass. This warrants standard priority patching—not emergency, but ahead of cosmetic or denial-of-service issues. Organizations with strong web application security postures and defense-in-depth controls (such as robust CSP, WAF rules, and sandboxing) can tolerate a slightly longer patch window. Those relying heavily on CSP as a primary XSS defense should prioritize this patch within 2–4 weeks. The lack of active exploitation or KEV status means this is not an imminent threat, but the user-interaction requirement and browser prevalence argue against indefinite deferral.

Risk score, explained

The CVSS 3.1 base score of 4.3 reflects a medium-severity vulnerability with attack vector network (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), but required user interaction (UI:R). The impact is limited to integrity (I:L) with no confidentiality or availability impact. This balances the ease of delivery and broad reach of the attack surface (any webpage) against the requirement that a user must visit the malicious page and the limited scope of impact (CSP bypass, not code execution). The score appropriately excludes the risk of widespread automated exploitation while acknowledging the practical exploitability in real-world phishing or watering-hole scenarios.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. The vulnerability enables bypass of Content Security Policy protections, which could allow an attacker to inject scripts or other content that the policy should block. However, it does not directly grant code execution outside the browser's normal sandboxing model. The severity is tied to the integrity risk of injection attacks, not to arbitrary code execution on the underlying system.

Will Chrome update automatically?

Yes, most Chrome installations update automatically and should receive version 149.0.7827.53 within hours or days of release. Users can manually trigger an update by navigating to Help > About Google Chrome. Enterprise deployments may have auto-update disabled; administrators should verify patches via their management console and deploy if needed.

Is this vulnerability actively being exploited?

There is no public evidence of active exploitation or inclusion in CISA's Known Exploited Vulnerabilities catalog as of the latest data. The vulnerability requires user interaction and relies on social engineering or watering-hole tactics to be effective, which limits its appeal compared to zero-days with no user interaction. However, the relative ease of crafting a malicious HTML page means opportunistic attackers may attempt exploitation once the vulnerability is widely known.

What is Content Security Policy and why does its bypass matter?

Content Security Policy (CSP) is a browser security feature that lets website owners restrict which resources (scripts, stylesheets, images, etc.) can be loaded and executed on a page. It is a critical defense against cross-site scripting (XSS) attacks. When CSP is bypassed, attackers can inject and execute malicious scripts even when a policy should prevent them, potentially leading to credential theft, malware distribution, or other compromise of the user's session.

This analysis is based on publicly available information current as of the vulnerability's publication and modification dates. Patch version numbers, affected product lists, and CVSS scores are derived from authoritative vendor advisories and the National Vulnerability Database. Organizations should verify patch applicability in their specific environments and test before production deployment. This summary is for informational purposes and does not constitute legal or compliance advice. No exploit code or weaponized proof-of-concept instructions are provided. Always consult official vendor documentation and your organization's security policies for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).