CVE-2026-11280: Chrome iOS Sign-In UI Spoofing Vulnerability – Patch Guide
A flaw in Google Chrome's sign-in interface on iOS allows an attacker to trick users with a fake login screen. By crafting a malicious web page, an attacker could make it appear that a legitimate Chrome sign-in prompt is appearing, potentially deceiving users into entering credentials or sensitive information. The vulnerability requires user interaction—visiting a crafted page—but does not require authentication or special privileges to attempt. While Google classifies this at low severity internally, the CVSS score reflects medium risk due to the integrity impact of potential credential theft or trust erosion.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11280 stems from an inappropriate implementation in Chrome's sign-in UI on iOS. The vulnerability is categorized under CWE-20 (Improper Input Validation), indicating that the browser fails to properly validate or sanitize context when rendering sign-in UI elements. An attacker can craft an HTML page that exploits this weakness to perform UI spoofing—overlaying or mimicking legitimate Chrome sign-in dialogs. The network vector (AV:N) means the attack originates remotely; low attack complexity (AC:L) indicates no special conditions are required beyond delivering the malicious page; no privileges are needed (PR:N); but user interaction is required (UI:R) to visit the page and potentially interact with the spoofed UI. The impact is limited to integrity (I:L)—no confidentiality breach or availability impact is expected from the vulnerability itself, though credential compromise via social engineering would be a secondary risk.
Business impact
This vulnerability poses a credential theft risk. If users are deceived by a spoofed sign-in interface, attackers could harvest Google account credentials, potentially leading to account compromise, unauthorized access to Gmail, Drive, and other Google services, and lateral movement into corporate environments where Chrome sign-in is integrated with enterprise authentication. The reputational and trust impact is also notable: users may lose confidence in Chrome's security posture on iOS. Organizations relying on Chrome sign-in for identity management should consider the phishing amplification effect—an attacker can now combine this UI spoofing with social engineering to increase credential capture success rates.
Affected systems
The vulnerability affects Google Chrome on iOS versions prior to 149.0.7827.53. iOS devices running Chrome are at risk; the vulnerability does not affect Chrome on desktop or Android platforms. The root-cause implementation flaw resides in the iOS-specific signin module, making this a platform-specific issue. Any user on an iPhone or iPad with Chrome installed and unpatched is a potential target.
Exploitability
Exploitability is straightforward from a technical standpoint. An attacker needs only to craft an HTML page that triggers the UI spoofing behavior and distribute it via email, messaging, malware-as-a-service, or compromised websites. The attack is not in the CISA Known Exploited Vulnerabilities catalog, indicating no evidence of active, in-the-wild exploitation at the time of publication. However, the low bar to weaponization (crafted HTML plus social engineering) means that once patches lag, exploitation risk escalates rapidly. The requirement for user interaction is the primary mitigating factor; if a user does not visit the malicious page or interact with the spoofed UI, no breach occurs.
Remediation
Update Google Chrome on iOS to version 149.0.7827.53 or later. Users should enable automatic updates in the iOS App Store to minimize the window of vulnerability. Organizations managing iOS devices via MDM should enforce Chrome version policies to ensure prompt rollout. No workarounds exist; patching is the only mitigation.
Patch guidance
Verify that you are running Chrome version 149.0.7827.53 or later on all iOS devices in your environment. On iOS, updates are delivered through the Apple App Store. Check Settings > About Chrome to confirm the installed version. If automatic updates are not enabled, users should manually update via the App Store. For managed environments, use MDM policies to enforce minimum Chrome versions and restrict users from running older versions. Test the patch in a pilot group before full rollout to ensure compatibility with enterprise workflows.
Detection guidance
Monitor for attempts to access malicious sites designed to exploit this vulnerability. Network logs may show traffic to known phishing domains that use the UI spoofing technique. Endpoint detection should flag unusual Chrome behavior such as sign-in prompts triggered outside the normal browser UI context. Log authentication attempts with failed or suspicious sign-in patterns that coincide with user reports of UI oddities. User awareness training is critical: teach users to verify sign-in URLs in the address bar and to be cautious of sign-in prompts that appear unusual or outside their expected workflow.
Why prioritize this
While the CVSS score is 4.3 (Medium) and Google's internal severity is Low, this vulnerability warrants prompt but not emergency patching. The lack of known active exploitation reduces immediate urgency. However, the ease of weaponization, combined with the credential theft risk, means that once the patch is widely available, attackers will likely develop and distribute exploits. Organizations should treat this as a standard-priority patch to be applied within 30 days. Critical systems or high-value targets should be patched sooner. The fact that it requires user interaction provides a grace period for orderly rollout.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-based attack with low complexity, no privilege requirement, and user interaction needed. The impact is limited to integrity (low), with no confidentiality or availability damage from the vulnerability alone. The score does not account for downstream credential theft or account takeover, which would be consequences of successful social engineering leveraging this UI flaw. The Medium severity rating in CVSS terms flags this as above-minimal risk but below critical, aligning with responsible patching prioritization.
Frequently asked questions
Can this vulnerability be exploited without the user visiting a malicious site?
No. The attacker must craft and distribute an HTML page, and the user must visit it and interact with the spoofed UI. Passive network-based attacks are not possible. However, phishing campaigns can be highly effective at luring users to malicious sites, so user awareness is essential.
Does updating Chrome on iOS automatically protect me, or do I need to change my password?
Updating to version 149.0.7827.53 or later eliminates the technical vulnerability. Changing your password is a prudent secondary step only if you suspect you may have entered credentials into a spoofed sign-in interface. If you have no reason to believe you've been affected, a password change is not strictly necessary after patching, though it is always good practice to review your Google account security settings and check for unusual account activity.
Does this vulnerability affect Chrome on Android or Windows?
No. The vulnerability is specific to the iOS sign-in implementation. Chrome on Android, Windows, macOS, and Linux are not affected. Users on those platforms should still keep Chrome updated for other security improvements, but this particular flaw does not impact them.
Is this vulnerability in the CISA Known Exploited Vulnerabilities list?
No. As of the publication date, there is no evidence of active, in-the-wild exploitation. However, the absence of known exploitation does not mean the vulnerability is risk-free—attackers often develop exploits after a patch becomes available, so timely updating is still important.
This analysis is provided for informational purposes and represents SEC.co's professional assessment based on published vulnerability data as of the modification date (2026-06-17). No liability is assumed for damages arising from use or misuse of this information. Readers should verify patch version numbers and availability against official Google Chrome release notes and their Apple MDM system before deployment. Security decisions should be made in consultation with your organization's risk and compliance teams. This explainer does not constitute security advice specific to your environment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls