CVE-2026-11278: Cross-Origin Data Leak in Chrome CustomTabs (Android)
Google Chrome on Android contains a flaw in how it handles CustomTabs—a feature that allows apps to open web content in a customized browser interface. An attacker can craft a malicious HTML page that, when opened by a user, leaks data intended to be protected across different websites. This is a local attack requiring user interaction (clicking or opening the page), but the confidentiality impact is significant because sensitive information from one origin could be exposed to another.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11278 stems from an inappropriate implementation in the CustomTabs component of Google Chrome for Android versions before 149.0.7827.53. The vulnerability allows for cross-origin data leakage through a specially crafted HTML page. The root cause is classified under CWE-346 (Origin Validation Error), indicating that the browser fails to properly validate or enforce origin boundaries when processing content within the CustomTabs interface. An attacker with local access or the ability to deliver a crafted webpage can bypass the same-origin policy in specific scenarios, resulting in unauthorized information disclosure.
Business impact
For organizations managing Android devices or whose users access web applications through Chrome on Android, this vulnerability poses a confidentiality risk. Enterprise users working with sensitive web applications—financial portals, email, SaaS platforms—could inadvertently expose authentication tokens, session data, or personal information if they visit a malicious webpage while CustomTabs is in use. The attack requires user interaction, which limits immediate large-scale automated exploitation, but targeted phishing or malicious advertising could leverage this vector. The CVSS score of 6.5 (Medium) reflects the high confidentiality impact balanced against the requirement for user action and network-based attack delivery.
Affected systems
Google Chrome on Android devices running versions prior to 149.0.7827.53 are affected. CustomTabs is widely used by Android applications to embed web content, so the exposure extends beyond Chrome itself to any app integrating this component. Organizations with Android fleets should verify their Chrome version and deployment policies. Google Android is listed as an affected product, though the vulnerability is specific to Chrome's CustomTabs implementation rather than the underlying OS.
Exploitability
This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no evidence of active exploitation in the wild at this time. However, the attack vector is network-based, requires no authentication, and exploitability relies on user interaction—a common vector for web-based social engineering. The barrier to exploitation is relatively low; an attacker needs only to host a crafted HTML page and trick a user into opening it. The Local severity rating from Google suggests limited real-world impact so far, but the mechanism (origin validation failure) is a class of vulnerability that, if widely understood, could attract researcher attention.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Google has patched the CustomTabs implementation to properly enforce origin boundaries. Organizations should prioritize this update for devices handling sensitive applications or user data. For enterprises deploying Chrome via managed configurations, enable automatic updates or push the patched version through your device management platform. No known workarounds exist; patching is the definitive remediation.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later. For Android Enterprise environments, verify the patch through your MDM solution and track rollout completion. Users on personal or corporate-owned Android devices should enable automatic Chrome updates via the Google Play Store. Verify patch deployment by checking Settings > About Chrome and confirming the version number matches or exceeds 149.0.7827.53. Given the Medium severity and user-interaction requirement, prioritize patching for high-risk user groups first (those handling financial, healthcare, or authentication-critical workflows).
Detection guidance
Monitor for Chrome version compliance across your Android device inventory using MDM telemetry or security audit tools. Within your network, inspect HTTP traffic for delivery of suspicious HTML pages targeting users—though TLS encryption will limit visibility. Endpoint detection systems with Android support should flag attempts to exploit origin validation in browser contexts, though signatures for this specific vulnerability may not yet be available. User awareness training should emphasize caution when clicking links in emails or messaging apps, particularly those directing to unfamiliar domains. Consider leveraging Chrome's safe browsing capabilities and ensuring that managed devices have up-to-date threat intelligence.
Why prioritize this
While classified as Medium severity, this vulnerability should be patched in a standard, timely fashion rather than marked as emergency. The requirement for user interaction significantly reduces the blast radius compared to remote code execution or network-worm scenarios. However, organizations whose Android users handle high-value data (finance, healthcare, legal) should front-load patching for those cohorts. The vulnerability is unlikely to be a critical incident driver, but delayed patching unnecessarily exposes sensitive workflows to a known and patchable cross-origin data leakage vector.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a high confidentiality impact (C:H) combined with no integrity or availability impact, a network attack vector, low attack complexity, no privilege requirement, and required user interaction. The score appropriately balances the severity of data leakage against the practical barriers to exploitation. Google's own assessment of 'Low' severity suggests this may be a lower-impact variant or that real-world exposure is limited; the CVSS score, however, is the authoritative metric for prioritization frameworks.
Frequently asked questions
Why does Google rate this as 'Low' severity but the CVSS is 'Medium'?
Google's internal severity ratings reflect their assessment of real-world impact and exploitability within their ecosystem. CVSS scores are standardized, algorithmic calculations based on technical attributes. Both are valid; use CVSS for consistent cross-vendor prioritization and Google's rating as context for Chrome-specific risk. In this case, the CVSS score may be more conservative due to the presence of multiple attack factors (network delivery + user interaction), while Google may have lower confidence in active exploitation likelihood.
Does this affect Chrome on other platforms (Windows, Mac, Linux)?
No, the vulnerability is specific to Chrome on Android. The CustomTabs component is Android-exclusive. Desktop Chrome users are not affected. However, organizations managing heterogeneous device fleets should patch their Android Chrome deployments independently of desktop Chrome schedules.
What is CustomTabs and why is it at risk?
CustomTabs is an Android feature that allows third-party apps to open web content in a lightweight, customized Chrome interface without launching the full Chrome browser. It provides a bridge between native apps and web content. The vulnerability exists because the CustomTabs implementation did not properly enforce same-origin policy boundaries, allowing a crafted HTML page to read or infer data from other origins when loaded within CustomTabs. Patching restores proper origin validation.
If this requires user interaction, how likely is real-world exploitation?
Real-world likelihood depends on attacker motivation and targeting. A sophisticated threat actor could craft phishing emails or malicious ads directing users to a crafted webpage, or compromise a legitimate site to inject the malicious payload. For mass campaigns, the overhead is moderate. For targeted attacks against specific organizations or individuals, the barrier is low. The absence from the KEV catalog suggests it has not yet been weaponized at scale, but organizations should not rely on this as assurance.
This analysis is provided for informational purposes and based on publicly available vulnerability data current as of the publication date. Patch version numbers and remediation steps should be verified against official Google Chrome and Android security advisories before deployment. Organizations should conduct their own risk assessment in the context of their specific device fleet, user workflows, and data sensitivity. No liability is assumed for the accuracy or completeness of this content. Always consult vendor advisories for definitive guidance on vulnerability scope, affected versions, and patching procedures. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass