CVE-2026-11265: Google Chrome Autofill Cross-Origin Data Leak (CVSS 7.5)
Google Chrome versions before 149.0.7827.53 contain a flaw in the Autofill feature that can allow attackers to steal sensitive data from other websites. An attacker can craft a malicious webpage that, when visited by a user, extracts information that should have been protected by browser isolation mechanisms. The vulnerability requires no user interaction beyond visiting the page and affects confidentiality but not system integrity or availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11265 results from improper implementation of origin isolation in Chrome's Autofill subsystem. The vulnerability permits cross-origin data leakage through a specially crafted HTML page, violating the same-origin policy that normally restricts scripts from accessing data belonging to other domains. The issue is classified as CWE-352 (Cross-Site Request Forgery), indicating a flaw in how the browser validates and segregates autofilled data across domain boundaries. The attack vector is network-based, requires no authentication, and no special user interaction beyond page navigation.
Business impact
Data leakage from cross-origin contexts could expose credentials, personal information, or session tokens stored in autofill fields. For enterprises, this creates risk of unauthorized access to employee accounts and services if users visit attacker-controlled sites. The confidentiality impact is rated high; attackers can exfiltrate sensitive autofilled content without triggering user warnings. Organizations relying on Chrome for sensitive workflows face exposure until patching is complete.
Affected systems
The vulnerability directly affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. Since Chromium is the underlying engine, Chromium-based browsers may be similarly affected depending on their patch cadence. The broader ecosystem includes systems running Chrome on any supported platform, particularly enterprise deployments where autofill is used for password and form management.
Exploitability
Exploitability is straightforward: an attacker constructs a malicious HTML page and waits for users to visit it via phishing, drive-by compromise, or ad injection. No user interaction beyond navigation is needed, and the attacker gains network-level access without requiring authentication or user credentials. The CVSS score of 7.5 reflects the high confidentiality impact and low complexity of the attack, though Chromium assigned it low internal severity, likely because real-world impact depends on what autofill data a user has populated.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected operating systems. Automatic updates are the primary remediation path for consumer and many enterprise deployments. For organizations with restricted update policies, prioritize Chrome patching in the next maintenance window, given the network-based attack vector requires no user privilege elevation.
Patch guidance
Google Chrome auto-updates on most platforms; verify that your systems are running 149.0.7827.53 or later by navigating to chrome://settings/help, which will check for and install the latest version. Enterprise administrators using Google Admin Console should verify that Chrome policies allow timely updates or manually deploy the patched version. No workarounds replace patching; the vulnerability is in the browser core and cannot be mitigated by policy alone.
Detection guidance
Monitor network traffic for requests to known attacker infrastructure or suspicious autofill-harvesting domains. Endpoint Detection and Response (EDR) tools can flag unusual Chrome process behavior or unexpected data exfiltration. User behavior analytics may reveal accounts accessed from unexpected locations or devices following a potential cross-origin data leak. Log Chrome update compliance to ensure all endpoints reach 149.0.7827.53 within your organization's patch SLA.
Why prioritize this
Although Chromium's internal severity classification is low, the CVSS 7.5 score reflects high confidentiality impact and network accessibility. The attack is trivial to execute (no user interaction, no authentication), and the exposure of autofilled credentials or payment information poses tangible business and compliance risk. Prioritize this patch within 30 days, especially for systems handling sensitive customer or employee data.
Risk score, explained
The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) assigns a score of 7.5 (HIGH) due to: network-based attack surface (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N, UI:N), and high confidentiality impact (C:H) without integrity or availability compromise. The gap between Chromium's low severity and the high CVSS reflects the distinction between internal triage and standardized impact assessment; CVSS weighs network accessibility and lack of user interaction more heavily.
Frequently asked questions
Can this vulnerability be exploited without the user visiting a malicious page?
No. The attack requires the user to navigate to or load content from an attacker-controlled page. However, this is straightforward via phishing emails, compromised ads, or drive-by downloads—common attack chains requiring no special user action beyond clicking a link.
Does updating Chrome to the latest version protect against this?
Yes, provided the version is 149.0.7827.53 or later. Check chrome://settings/help to verify your current version and trigger any pending updates. Auto-update is enabled by default on most Chrome installations.
Are other Chromium-based browsers affected?
Potentially, depending on their patching schedule. Edge, Brave, Vivaldi, and other Chromium derivatives may inherit this vulnerability until they release updates based on Chromium 149. Check your browser vendor's security advisories for specific patch versions.
What data is at risk if I'm exploited?
Any data stored in Chrome's autofill cache is at risk—passwords, credit card numbers, addresses, phone numbers, and other form fields. The attacker gains read-only access; they cannot modify data, but exfiltration of credentials or payment info can enable account takeover or fraud.
This analysis is based on published vulnerability data and vendor advisories current as of the modification date (2026-06-17). Actual patch versions, affected product ranges, and remediation timelines should be verified against official vendor security bulletins. No proof-of-concept or exploit code is provided. Organizations should conduct internal risk assessments and test patches in controlled environments before wide deployment. This content is for informational purposes and does not constitute security advice or a guarantee of protection. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component
- CVE-2026-11129MEDIUMChrome Extension Cross-Origin Data Leak Vulnerability
- CVE-2026-11134MEDIUMChrome Media Component Cross-Origin Data Leak Vulnerability
- CVE-2026-11139MEDIUMChrome Cross-Origin Data Leak in Paint Implementation
- CVE-2026-11155MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability