MEDIUM 4.3

CVE-2026-11298: Chrome for iOS Same-Origin Policy Bypass Vulnerability

A vulnerability in Google Chrome for iOS allows attackers to bypass the same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites—by tricking users into visiting a specially crafted webpage. The flaw affects Chrome versions before 149.0.7827.53 on iPhones and iPads. While the Chromium project rated this as low severity, the CVSS score reflects a medium severity due to the potential for information disclosure or unauthorized content modification in cross-origin contexts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-346
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11298 is an implementation flaw in the same-origin policy (SOP) enforcement mechanism within Chrome for iOS. The vulnerability stems from improper handling of origin validation when processing requests or content from crafted HTML pages. An attacker can exploit this by hosting a malicious webpage and convincing a user to visit it, which then executes code that would normally be blocked by the same-origin policy. The attack requires user interaction (clicking a link or visiting a site) but no special privileges. The flaw is tracked under CWE-346 (Origin Validation Error).

Business impact

Organizations relying on web applications served to iPhone and iPad users face potential data leakage risks if users browse untrusted websites while authenticated to sensitive applications. Sensitive data such as authentication tokens, session cookies, or user-specific information could be exfiltrated by attacker-controlled sites. The impact is heightened in environments where users access internal or third-party web applications on iOS devices without strict network controls or managed app deployment.

Affected systems

The vulnerability affects Google Chrome on iOS (iPhone OS) versions prior to 149.0.7827.53. Any user running an older version of Chrome on an Apple iPhone or iPad is potentially vulnerable. Notably, this is specific to the iOS version of Chrome; Chrome on Android, Windows, macOS, and Linux require separate patching.

Exploitability

Exploitation requires user interaction—the victim must visit a malicious webpage or click an attacker-controlled link. No authentication or special privileges are needed on the victim's system, and the attack surface is broad (any website the user visits). However, the attacker cannot initiate the exploit remotely without user action. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been documented as of the current date.

Remediation

Users should update Google Chrome on iOS to version 149.0.7827.53 or later. For enterprise environments managing iOS devices, ensure Mobile Device Management (MDM) policies enforce automatic Chrome updates or restrict users to updated versions. Alternatively, organizations can disable Chrome as a sanctioned browser and enforce Safari with appropriate security policies, though this requires administrative control over device enrollment.

Patch guidance

Verify the installed version of Chrome on iOS by opening the app, navigating to Settings > About Chrome, and confirming the version matches 149.0.7827.53 or higher. Patches are typically delivered through the Apple App Store automatically if auto-updates are enabled. Device administrators should audit Chrome deployment across managed iOS devices and enforce minimum version policies. Test patch deployment in a small cohort before rolling out organization-wide to ensure no application compatibility issues arise.

Detection guidance

Monitor network traffic for suspicious cross-origin requests originating from iOS devices running Chrome. Endpoint detection tools integrated with Mobile Threat Defense (MTD) solutions can flag exploitation attempts by analyzing webpage behavior. Server-side detection is limited but can include monitoring access logs for unusual patterns where authenticated sessions are accessed from unexpected origins or user agents. Focus detection efforts on high-value applications handling sensitive data and ensure robust content security policy (CSP) headers are in place to limit the impact of SOP bypasses.

Why prioritize this

This vulnerability should be prioritized for organizations with significant mobile workforce access to sensitive web applications. The CVSS 4.3 score and medium severity designation reflect the need for timely patching, but the lack of KEV status and active exploitation reporting suggests lower urgency than critical vulnerabilities. Prioritize patch deployment for users accessing financial, healthcare, or identity management portals; defer for environments where mobile browser usage is limited to public-facing applications.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) is driven by network accessibility without authentication (AV:N, PR:N) and the requirement for user interaction (UI:R). The impact is restricted to integrity (I:L)—attackers can modify or steal content—with no availability impact (A:N) and no confidentiality impact listed in the vector. While Chromium's internal severity rating was Low, the CVSS methodology elevates this to Medium due to the ease of exploitation and the fundamental nature of SOP bypass attacks. The moderate score reflects that real-world harm depends on how users interact with untrusted content while authenticated to sensitive sites.

Frequently asked questions

Does this vulnerability affect Chrome on other platforms like Android or Windows?

No, CVE-2026-11298 is specific to Chrome for iOS. Chrome on Android, Windows, macOS, and Linux have separate vulnerability tracks and patching schedules. However, organizations should verify that Chrome on all platforms is kept current as a general security practice.

If I use Safari instead of Chrome on iOS, am I protected?

Yes, Safari has a separate implementation of the same-origin policy and is not affected by this specific flaw. However, Safari may have its own vulnerabilities. Using Safari does not eliminate the need for user awareness—users should still avoid visiting untrusted websites when authenticated to sensitive applications.

Can an attacker exploit this without the user visiting a malicious website?

No, the attacker must trick the user into visiting a crafted webpage or clicking a malicious link. This is why user education and awareness remain critical. Users should be cautious about links in emails, messages, or untrusted sources, especially when logged into sensitive applications.

What does 'same-origin policy' protect against?

The same-origin policy is a cornerstone of web security that prevents JavaScript code from one website from accessing data belonging to another website. It ensures that even if you visit a malicious site while logged into your bank, the malicious site cannot steal your banking data. This vulnerability allows an attacker to circumvent that protection on iOS Chrome.

This analysis is based on publicly available information from the CVE database and Chromium security advisories as of the publication date. Vulnerabilities and patch status may evolve; security teams should consult official vendor advisories and test patches in non-production environments before deployment. This explainer is for informational purposes and does not constitute legal, compliance, or professional security advice. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Users are responsible for assessing the applicability of this vulnerability to their specific environment and maintaining their own vulnerability assessment and patch management practices. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).