CVE-2026-11264: Content Security Policy Bypass in Chrome – Patch to 149.0.7827.53
Google Chrome versions before 149.0.7827.53 contain a flaw in how Content Security Policy (CSP) is enforced. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute content that the website owner intended to block, potentially leading to credential theft, session hijacking, or other attacks that degrade site security. The vulnerability requires user interaction—the victim must visit the malicious page—and does not directly compromise the browser itself or enable data exfiltration.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Chrome's Content Security Policy implementation (CWE-693: Improper Neutralization of Special Elements used in a Policy). A remote attacker can construct a specially crafted HTML document that causes Chrome to mishandle or fail to enforce CSP directives. The bypass is not a memory corruption or authentication flaw, but rather a logic error in policy validation. The attack vector is network-based with low attack complexity, requiring only user interaction (clicking a link, visiting a site). The Chromium security team rated this as Low severity in their internal assessment, though the CVSS 3.1 score of 4.3 reflects a Medium severity due to the integrity impact of allowing unauthorized content execution.
Business impact
Organizations relying on websites protected by CSP to prevent XSS attacks, data exfiltration, or malware injection face a degraded security posture for Chrome users running vulnerable versions. SaaS platforms, financial institutions, and any web property using CSP as a key defensive layer should treat this as a control weakness during the window before user patching. The impact is primarily on web application security rather than endpoint compromise; however, it can facilitate credential theft or session hijacking if an attacker chains this with social engineering or malicious ad injection.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Apple macOS, Microsoft Windows, and Linux systems that run vulnerable Chrome versions, since Chrome is cross-platform. Organizations should inventory Chrome deployments across all operating systems in their environment. Chromium-based browsers (Edge, Brave, Opera, etc.) derived from the same codebase may also be vulnerable depending on their release cycle and whether they have applied the corresponding patch.
Exploitability
Exploitability is moderate. The attack requires crafting a malicious HTML page and convincing or tricking a user into visiting it—either through phishing, malvertising, or compromised third-party content. There is no known public exploit code, and the vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the attack surface is large because any website an employee visits could potentially be compromised or weaponized. Once visited, no additional user action is required; the CSP bypass occurs passively.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates on most systems, but users should verify they are on the latest version via Chrome Settings > About Chrome. Organizations managing Chrome centrally (via MDM, Group Policy, or enterprise deployment) should push the patched version to all devices. No workarounds exist; patching is the only mitigation. For web administrators, review CSP policies to ensure defense-in-depth; do not rely solely on CSP during the remediation window.
Patch guidance
Chrome 149.0.7827.53 and subsequent releases contain the fix for this CSP bypass. Verify the patch version in your deployment against the official Chrome release notes published after June 5, 2026. For enterprise environments, test the patch in a limited pilot before full rollout to confirm no regressions with internal applications. Note that this patch also includes fixes for other security issues; review the full advisory to understand the complete security updates bundled in the release.
Detection guidance
Monitor network logs and web server logs for signs of CSP bypass attempts: look for requests that violate expected CSP policies but were allowed to succeed, or unusual cross-origin requests that should have been blocked. Browser telemetry and security event logs may show CSP violations that were not properly blocked. However, passive detection is limited because the vulnerability manifests as a logic flaw rather than a crash or error. Endpoint detection tools should focus on ensuring Chrome version compliance; organizations can audit installed Chrome versions via MDM or script-based scanning. Consider blocking or warning on untrusted external websites if CSP protection is critical for your infrastructure.
Why prioritize this
This vulnerability should be prioritized as Medium-High for urgent patching despite its modest CVSS score. Reason: (1) CSP is a foundational web security control; bypassing it weakens multiple downstream defenses; (2) the attack surface is large and user-initiated, making it difficult to defend against at the perimeter; (3) Chrome is ubiquitous in corporate and consumer environments; (4) the vulnerability is unpatched in millions of instances. While not in KEV and rated Low severity by Chromium, the breadth of affected systems and the attack vector justify aggressive patching within 7–14 days.
Risk score, explained
The CVSS 3.1 score of 4.3 (Medium) reflects: Network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The impact is limited to integrity (I:L)—allowing unintended content execution—with no confidentiality or availability impact. The low Chromium severity rating acknowledges that the vulnerability does not directly compromise the browser or enable remote code execution. However, the real-world risk is elevated due to the prevalence of Chrome, the fundamental nature of CSP as a security control, and the ease with which social engineering can drive users to malicious pages. Organizations should weigh the CVSS score alongside business context.
Frequently asked questions
Does this vulnerability allow an attacker to run arbitrary code on my computer?
No. The vulnerability allows an attacker to bypass Content Security Policy on a webpage, potentially enabling them to inject malicious scripts or other content. However, it does not grant direct remote code execution on the underlying operating system. The impact is scoped to the browser context and the specific web application's security.
Will my Chrome browser auto-update to the patch?
Chrome is designed to auto-update in the background. Most users will receive version 149.0.7827.53 automatically within a few days of its release. You can verify your version by going to Chrome Settings > About Chrome, which will also force a check for updates. Enterprise users should consult their IT administrator, as organizations may manage updates centrally.
What should web administrators do to protect against this until users patch?
While users patch, web administrators should assume CSP may not reliably block unauthorized content in older Chrome versions. Consider implementing additional server-side controls such as Subresource Integrity (SRI) for scripts, X-Frame-Options headers, and strict input validation. Review logs for suspicious CSP violation attempts. Do not introduce new critical functionality reliant on CSP alone during this window.
Is this vulnerability exploited in the wild?
As of the published date, the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no evidence of widespread active exploitation. However, absence of public knowledge does not mean exploitation has not occurred. Organizations should treat this as an urgent patching priority to stay ahead of potential future exploitation.
This explainer is based on publicly available vulnerability data as of the publication date. Organizations should verify all patch versions and advisory details against official vendor sources before deploying patches. The CVSS score and severity rating are provided for reference; security teams should conduct their own risk assessment based on their specific environment, exposure, and business context. SEC.co does not provide exploit code or weaponization guidance. Always test patches in a controlled environment before enterprise-wide deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11206MEDIUMChrome Service Worker Data Leak Vulnerability – CVSS 6.5
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling
- CVE-2026-11266MEDIUMChrome Safe Browsing Bypass Vulnerability — Patch v149.0.7827.53
- CVE-2026-11288MEDIUMCross-Origin Data Leak via CSS in Chrome – Patch Guidance
- CVE-2026-11292MEDIUMChrome CSP Bypass in Blink Rendering Engine – CVSS 4.3