MEDIUM 4.3

CVE-2026-11267: Chrome Content Security Policy Bypass via Malicious Extensions

A vulnerability in Google Chrome's extension framework allows a malicious extension to bypass content security policy (CSP) protections if a user installs it. The issue stems from insufficient policy enforcement mechanisms that fail to properly validate extension behavior. While the underlying Chromium severity is rated as Low, the CVSS assessment elevates it to Medium due to the user interaction requirement combined with potential integrity impact. An attacker would need to socially engineer a user into installing a compromised extension—a realistic but not trivial attack vector.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-602
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11267 represents a policy enforcement gap in the Chrome Extensions API prior to version 149.0.7827.53. The vulnerability allows a crafted extension to circumvent content security policy restrictions, which are a primary defense mechanism preventing inline script execution and unauthorized resource loading. The issue is classified under CWE-602 (Client-Side Enforcement of Server-Side Security), indicating that CSP validation occurs in the browser rather than being enforced at a system level. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects network accessibility, low attack complexity, no privilege requirement, required user interaction, and limited integrity impact with no confidentiality or availability impact.

Business impact

The practical business risk depends on deployed extension security posture. For organizations using CSP as a defense against malicious script injection, a compromised extension bypassing these controls could enable unauthorized modifications to web content, credential harvesting, or malware injection within the browser context. However, the requirement for active user installation limits blast radius compared to browser-engine-level flaws. The impact is primarily on data integrity rather than confidentiality or availability, making this a concern for environments handling sensitive transactions or where extension governance is weak.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability impacts Chrome on all major operating systems listed: Windows, macOS, and Linux. The presence of Linux kernel in the vendor list suggests the issue may affect Chromium-based browsers on Linux distributions as well. Any user running an unpatched Chrome version who installs a malicious extension remains at risk.

Exploitability

Real-world exploitation requires convincing a user to install a malicious extension—a social engineering requirement that prevents automated, large-scale attacks. An attacker would typically distribute the extension through deceptive means (fake stores, phishing, compromised websites) or by compromising a legitimate extension's codebase. Once installed, the extension gains persistent access to bypass CSP, making it a post-compromise attack rather than a zero-click vulnerability. The attack complexity is low once installation occurs, but the user interaction barrier significantly limits opportunistic exploitation.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. The patch restores proper policy enforcement in the extension framework. Organizations should verify this version number against official Google Chrome release notes before deployment. In addition to patching, security teams should implement extension management policies to restrict installation of unsigned or unverified extensions, conduct security awareness training on extension installation risks, and consider using Chrome Enterprise policies to enforce CSP compliance across managed devices.

Patch guidance

Deploy Chrome version 149.0.7827.53 or later through your standard browser update mechanism. For managed environments, use Chrome Enterprise policy to enforce automatic updates or to block extension installation entirely unless whitelisted. Verify the version number in Chrome's Settings > About page (which displays the current version and triggers automatic updates). Test patches in a non-production environment to confirm compatibility with critical web applications or extensions before full rollout. If you manage a Chromium-based browser other than Chrome, check with your vendor for equivalent patch versions.

Detection guidance

Monitor for installation of unsigned, unusual, or suspicious Chrome extensions in your environment. Network detection is limited to observing extension manifest requests or downloads from non-standard sources. Endpoint detection can leverage Chrome policy logging (if Enterprise policies are enabled) to track extension installations. Look for extensions requesting excessive permissions, particularly network access or content script injection capabilities. Review browser security logs for CSP violations that suddenly cease after a specific date, which may indicate a previously-bypassed CSP becoming enforced post-patch. Enterprise customers can use Chrome management console to audit installed extensions across the fleet.

Why prioritize this

While the Chromium severity is Low, the CVSS score of 4.3 (Medium) warrants attention because the vulnerability directly impacts web security controls (CSP) that many organizations rely on. The social engineering requirement prevents panic-level prioritization, but the ease of exploitation once an extension is installed and the integrity impact justify prompt patching. Prioritize remediation for staff-facing systems and users who frequently install browser extensions, and defer slightly for restricted environments where extension installation is already controlled.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a Medium severity due to the combination of low attack complexity, no privilege or authentication requirement, user interaction (extension installation), and integrity-only impact. The score is calibrated between Low (where the Chromium maintainers initially assessed it) and High because CSP bypass is meaningful in scope but limited in confidentiality or availability impact. The integrity rating accounts for potential content modification and unauthorized script injection, while the lack of confidentiality or availability impact prevents a higher score. This sits squarely in the MEDIUM range, distinguishing it from both minor policy issues and critical control escapes.

Frequently asked questions

Do I need to worry about this if I only use the extensions from the Chrome Web Store?

Partially. The Chrome Web Store is curated and signed extensions are vetted, but compromised extensions or malicious developers can still bypass submission reviews. Additionally, third-party extensions (even legitimate ones) could be patched with malicious code in updates. Your primary defense is the patch—update to 149.0.7827.53 or later. Beyond that, limit extension installations to only those you actually need, review permissions carefully, and monitor extension updates for unexpected changes.

What does 'bypassing content security policy' actually mean for an end user?

Content security policy is an HTTP header that tells the browser 'only allow scripts from these approved sources' and 'block inline scripts.' A malicious extension that bypasses CSP can inject or execute code that would normally be blocked, potentially stealing credentials, modifying web pages you visit, or injecting malware. For example, if you visit your bank's website and a CSP-bypassing extension runs, it could capture your login credentials or alter the displayed account balance—all without your knowledge.

Is this vulnerability being actively exploited?

There is no indication this vulnerability is included in the CISA Known Exploited Vulnerabilities (KEV) catalog, which means it is not known to be exploited in the wild at this time. However, the low barrier to exploitation once an extension is installed means that if a determined attacker distributes a malicious extension, it could be weaponized quickly. Stay patched and maintain extension security hygiene rather than assuming it will remain unexploited.

What if I use a Chromium-based browser like Edge or Brave?

Microsoft Edge and other Chromium-based browsers are typically updated based on the Chromium upstream patches. Microsoft Edge would receive an equivalent patch through its own update cycle (typically within a few weeks of Chromium release). Check your specific browser vendor's release notes for their equivalent version number. Brave and other Chromium forks should also receive the patch, but timing may vary. Always verify against your vendor's advisory rather than assuming synchronous releases.

This analysis is provided for informational purposes and reflects the publicly disclosed vulnerability details as of the publication date. Version numbers, patch dates, and KEV status are based on authoritative vendor sources and may change. Organizations should verify all patch version numbers and compatibility requirements against official vendor advisories before deployment. No exploit code or weaponized proof-of-concept is provided. Security decisions should account for your specific environment, risk tolerance, and asset criticality. When in doubt, consult your security team or the vendor's official guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).