CVE-2026-11291: Android Chrome Autofill Same-Origin Policy Bypass
A flaw in how Google Chrome handles autofill on Android devices allows an attacker to craft a malicious webpage that can bypass the browser's same-origin policy protections. By tricking a user into visiting their page, an attacker could potentially manipulate how Chrome autofills data in unexpected ways. Google rates this as low severity internally, though the CVSS score reflects it as medium risk due to the user interaction required and limited scope of potential impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11291 stems from an inappropriate implementation in the Android Autofill subsystem of Google Chrome. The vulnerability enables circumvention of the same-origin policy (SOP)—a fundamental browser security boundary that prevents scripts from one domain from accessing data belonging to another domain. The flaw requires a remote attacker to host a crafted HTML page and convince a user to visit it. Once a user interacts with the page, the autofill mechanism can be abused to violate SOP constraints, potentially exposing or modifying autofilled credentials or form data. The vulnerability is classified under CWE-346 (Origin Validation Error), indicating the root cause involves improper verification of origin boundaries in the autofill context.
Business impact
The primary business risk centers on credential exposure and unauthorized form manipulation. If an attacker successfully exploits this vulnerability, users' saved passwords, credit card information, or other autofilled data could be exposed or manipulated without their knowledge. Organizations relying on Chrome as a standard browser on Android devices face a credential theft risk, particularly for employees who reuse passwords across corporate and personal services. While the attack requires user interaction and the scope is limited to autofill contexts, the erosion of SOP protections is strategically significant: it weakens one of the core browser security models that protects users from phishing and man-in-the-middle attacks. For enterprises managing mobile fleets, this represents a medium-priority remediation task.
Affected systems
Google Chrome on Android devices running versions prior to 149.0.7827.53 are affected. The vulnerability does not impact Chrome on desktop/other platforms. Android users of Chrome are the primary target. Organizations deploying Chrome as a managed browser on corporate Android devices, or employees using Chrome on personal Android phones for work purposes, are in scope.
Exploitability
Exploitation requires an attacker to craft a malicious HTML page and convince a user to visit it—a phishing or watering-hole scenario. No network-based exploitation is possible; the attack is confined to the browser context and depends entirely on user interaction. The vulnerability cannot be exploited silently or remotely without user action. The CVSS vector reflects these constraints: AV:N (network attack surface), AC:L (low complexity once a user visits the page), PR:N (no privileges needed), UI:R (user interaction required), and limited integrity impact. Real-world exploitation is plausible but not trivial, as it requires convincing a user to visit a attacker-controlled page. This is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Users and administrators should update Chrome on Android to version 149.0.7827.53 or later. Google has patched the autofill implementation to properly enforce same-origin policy boundaries. Organizations managing Chrome on Android through Mobile Device Management (MDM) should prioritize this update in their deployment schedules. For users on unmanaged devices, the update should be applied as soon as Google Play distribution reaches their device. Because the vulnerability requires user interaction and is not being actively exploited at scale, this is a standard-priority patch rather than an emergency one.
Patch guidance
Verify that affected Chrome installations have been updated to version 149.0.7827.53 or later. On managed Android devices, use your MDM platform to enforce the update and confirm deployment. Users can manually check their Chrome version by navigating to Chrome menu → Settings → About Chrome, which will automatically check for and apply updates. For enterprise deployments, consider setting a 30–60 day remediation window to allow for normal device rotation and user availability. Test autofill functionality after patching to ensure no regression in legitimate form-filling workflows.
Detection guidance
Detection of exploitation attempts is limited to user-reported anomalies or suspicious autofill behavior. Monitor for user reports of unexpected credential leaks or unauthorized account access from Android devices. Organizations can review Chrome browser logs (if available through MDM) for unusual autofill activity, though Chrome's privacy model limits visibility into individual autofill events. Network-based detection is not feasible, as the attack occurs entirely within the browser context. If credential breaches occur following a specific time window and are concentrated among Android Chrome users, investigate whether a phishing campaign exploiting this vulnerability was conducted.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS 4.3 score and requirement for user interaction mean it poses moderate rather than critical risk. However, the nature of the flaw—a SOP bypass affecting credential autofill—makes it strategically important to patch before attackers develop and distribute weaponized phishing campaigns. The absence of KEV status and active exploitation indicates the threat landscape has not yet mobilized around this CVE, creating a window of opportunity to deploy patches proactively.
Risk score, explained
The CVSS 4.3 (Medium) score reflects a network-accessible vulnerability with low attack complexity and moderate integrity impact, tempered by the requirement for user interaction and limited scope. While Chromium's internal assessment rated it as Low severity, the CVSS calculation appropriately emphasizes the SOP bypass as a meaningful security boundary violation. For organizations, the practical risk depends on the prevalence of Chrome on Android in your environment and the sophistication of your users' security awareness—phishing-prone user populations elevate the real-world risk.
Frequently asked questions
Can this vulnerability be exploited without user action?
No. An attacker must craft a malicious HTML page and convince a user to visit it. There is no remote code execution or silent exploitation pathway. The attack vector is phishing or social engineering.
Does this affect Chrome on Windows, macOS, or Linux?
No. This vulnerability is specific to Chrome on Android. Desktop and laptop users are not affected.
What kind of data is at risk?
Autofilled form data is at risk, including saved passwords, credit card numbers, usernames, and other personally identifiable information that Chrome has learned to autofill. Data exposed depends on what information a user has allowed Chrome to remember.
If I've already updated to Chrome 149.0.7827.53 or later, am I protected?
Yes. The patch properly restores same-origin policy enforcement in the autofill implementation. Verify your Chrome version in Settings → About Chrome to confirm you are on the patched build.
This analysis is based on publicly disclosed information from Google's security advisories and the CVE record as of the publication date. Threat intelligence is subject to change as new information becomes available. Organizations should verify patch availability and compatibility within their own environments before deployment. This document does not constitute legal or compliance advice. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and disclaims liability for any damages arising from reliance on this content. Always consult vendor advisories and conduct your own risk assessment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass