CVE-2026-11294: Chrome Password UI Spoofing Vulnerability – CVSS 4.3
Google Chrome versions prior to 149.0.7827.53 contain a flaw in password handling that allows attackers to create fake or misleading login screens through specially crafted web pages. An attacker would need to trick a user into visiting a malicious website, but once there, the browser's UI protections don't adequately prevent visual deception. This is not an authentication bypass—it's a user interface trick that could mislead people about whether they're interacting with legitimate Chrome UI or attacker-controlled content.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-451
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Chrome's password management implementation, classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The flaw stems from inappropriate implementation logic that fails to adequately distinguish or protect against spoofing of password-related UI elements. An attacker can craft an HTML page that, when viewed in a vulnerable Chrome version, deceives users about the origin or legitimacy of UI elements associated with password operations. The attack surface requires user interaction (visiting a malicious site) but does not require elevated privileges or complex setup. The CVSS score of 4.3 (MEDIUM severity) reflects limited integrity impact without confidentiality or availability harm.
Business impact
The primary risk is phishing and credential harvesting at scale. If attackers can convincingly spoof Chrome's password UI, users may unknowingly enter credentials into attacker-controlled forms they believe are legitimate browser prompts. This affects organizations where employees use Chrome as a primary browser, particularly those relying on password managers or multi-factor authentication flows. The reputational and compliance implications depend on whether users' stored passwords or session tokens are compromised as a secondary effect. Financial impact is moderate—this is not a wormable or self-propagating issue, and it requires social engineering to succeed.
Affected systems
The vulnerability affects Google Chrome on all major operating systems: Windows, macOS, and Linux. Any Chrome user running a version prior to 149.0.7827.53 is at risk. The listing includes Linux kernel and mentions of multiple OS vendors because Chrome runs as a cross-platform application; the underlying OS does not cause or mitigate the flaw. Organizations should assume all Chrome deployments worldwide are potentially affected until patched.
Exploitability
Exploitability is straightforward from a technical perspective. The attacker need only host a crafted HTML file and lure a user to visit it—no authentication, privilege escalation, or zero-click delivery is required. However, real-world impact depends on social engineering effectiveness. The flaw is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active in-the-wild exploitation has not been officially confirmed as of the knowledge cutoff date, though that does not exclude targeted or unreported attacks. The low Chromium security severity assigned by Google reflects the UI-focused nature of the threat.
Remediation
Users and organizations must update Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism should deliver the patch automatically within days of release, but admins should verify deployment in enterprise environments. No workarounds exist; the fix is code-level and requires the patched version. For organizations managing Chrome via group policy or mobile device management, ensure policies do not delay or defer the update.
Patch guidance
Verify that Chrome has auto-updated to 149.0.7827.53 or later by checking Settings > About Chrome (the browser will report the installed version and auto-check for updates). Enterprise customers using Google Admin console can push the update across managed devices or verify compliance via inventory reports. For Linux distributions, check your package manager's Chrome release—some distributions may lag behind Google's direct release cadence. Mobile Chrome on iOS and Android should update similarly through the respective app stores. No manual compilation or vendor-specific patches are necessary; the upstream Google release is the authoritative fix.
Detection guidance
Monitor for signs of phishing campaigns or credential complaints correlated with Windows/Mac/Linux Chrome usage. Security teams can audit browsing logs for visits to known malicious domains hosting proof-of-concept exploits (though these are not public as of publication). Look for user reports of unexpected password prompts or confusion about browser UI. Network-based detection is difficult because the attack manifests client-side and uses standard HTTP/HTTPS. Endpoint detection and response (EDR) tools may flag suspicious HTML payloads or script execution in browser contexts if configured for behavioral analysis. The best detection remains user awareness and credential monitoring (via tools that alert on unusual login patterns or bulk password resets).
Why prioritize this
While the CVSS score is MEDIUM, the practical risk depends on your threat model. If your organization relies on strong phishing awareness and multi-factor authentication, the impact is reduced—attackers cannot gain access even with spoofed password UI if they don't possess valid credentials and a second factor. Conversely, if users manage highly sensitive accounts (finance, identity management, email) via Chrome and lack MFA, this should be prioritized. The absence from the KEV catalog suggests no imminent massive-scale exploitation, but the attack is user-friendly and aligns with attacker motivations (credential theft). Patch within normal update cycles—do not defer, but do not treat as critical-severity either. Pair patching with a reminder to employees about verifying login origins.
Risk score, explained
The CVSS 4.3 MEDIUM score reflects: Network-based attack vector (AV:N), low attack complexity requiring only a crafted HTML page (AC:L), no privilege requirement (PR:N), but user interaction is mandatory (UI:R). Scope is unchanged (S:U), meaning the impact is limited to the Chrome process, not system-wide. Confidentiality is not affected (C:N), integrity is low (I:L) because the attack deceives UI representation rather than directly corrupting data, and availability is not affected (A:N). The score appropriately captures a social engineering vector with medium nuisance/risk, not a critical flaw. Chromium's internal severity of 'Low' reflects Google's view that the flaw is browser-specific and not a full security boundary bypass.
Frequently asked questions
Do I need to update immediately, or can this wait for my regular patch cycle?
If your organization enforces multi-factor authentication and has strong phishing training, you can include this in your standard update schedule. However, if users handle sensitive credentials in Chrome without MFA or work in high-risk roles (executive, finance), prioritize within the next 1–2 weeks. Chrome's auto-update mechanism means many users will be patched automatically within days, reducing overall exposure.
Will this vulnerability affect Chrome on iOS or Android?
Yes. All platforms running Chrome prior to 149.0.7827.53 are affected. iOS users should update via the App Store, and Android users via Google Play. The vulnerability is not platform-specific; it stems from Chrome's password UI logic, which is shared across all implementations.
Can attackers exploit this to steal my saved passwords?
No. This vulnerability allows visual spoofing of password UI, potentially tricking you into typing credentials into a fake prompt. It does not directly access Chrome's encrypted password vault or bypass Chrome's authentication. However, if an attacker successfully tricks you into entering credentials, those credentials are then in the attacker's possession. This is why multi-factor authentication is an effective defense.
Is this vulnerability being actively exploited in the wild?
As of the published date, this CVE is not listed on CISA's Known Exploited Vulnerabilities catalog, meaning there is no confirmed public evidence of active exploitation. However, that does not guarantee zero attacks; targeted or unreported exploitation could be occurring. We recommend patching based on your risk tolerance rather than waiting for confirmation of in-the-wild attacks.
This analysis is provided for informational purposes to support vulnerability management and threat prioritization. It does not constitute legal, compliance, or procurement advice. Organizations should conduct their own risk assessments aligned with internal policies and regulatory requirements. Patch version numbers and affected product lists are accurate as of the source publication date; verify against the latest vendor advisories before deployment. No exploit code or weaponized proof-of-concept is provided. This page does not endorse or recommend any third-party tools or services. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11107MEDIUMGoogle Chrome UI Spoofing Vulnerability – Patch Guide
- CVE-2026-11216MEDIUMChrome File Input UI Spoofing – Patch to 149.0.7827.53
- CVE-2026-11222MEDIUMChrome Tab Strip Domain Spoofing Vulnerability – Patch Guide
- CVE-2026-11225MEDIUMChrome Domain Spoofing Vulnerability – Patch Guidance
- CVE-2026-11227MEDIUMChrome Tab Hover Card Domain Spoofing Vulnerability
- CVE-2026-11228MEDIUMChrome UI Spoofing Vulnerability via File Input Flaw
- CVE-2026-11232MEDIUMGoogle Chrome TabGroups UI Spoofing Vulnerability
- CVE-2026-11245MEDIUMChrome UI Spoofing in Payments Component (CVSS 4.3)