CVE-2026-11298: Chrome for iOS Same-Origin Policy Bypass Vulnerability
A vulnerability in Google Chrome for iOS allows attackers to bypass the same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites—by tricking users into visiting a specially crafted webpage. The flaw affects Chrome versions before 149.0.7827.53 on iPhones and iPads. While the Chromium project rated this as low severity, the CVSS score reflects a medium severity due to the potential for information disclosure or unauthorized content modification in cross-origin contexts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11298 is an implementation flaw in the same-origin policy (SOP) enforcement mechanism within Chrome for iOS. The vulnerability stems from improper handling of origin validation when processing requests or content from crafted HTML pages. An attacker can exploit this by hosting a malicious webpage and convincing a user to visit it, which then executes code that would normally be blocked by the same-origin policy. The attack requires user interaction (clicking a link or visiting a site) but no special privileges. The flaw is tracked under CWE-346 (Origin Validation Error).
Business impact
Organizations relying on web applications served to iPhone and iPad users face potential data leakage risks if users browse untrusted websites while authenticated to sensitive applications. Sensitive data such as authentication tokens, session cookies, or user-specific information could be exfiltrated by attacker-controlled sites. The impact is heightened in environments where users access internal or third-party web applications on iOS devices without strict network controls or managed app deployment.
Affected systems
The vulnerability affects Google Chrome on iOS (iPhone OS) versions prior to 149.0.7827.53. Any user running an older version of Chrome on an Apple iPhone or iPad is potentially vulnerable. Notably, this is specific to the iOS version of Chrome; Chrome on Android, Windows, macOS, and Linux require separate patching.
Exploitability
Exploitation requires user interaction—the victim must visit a malicious webpage or click an attacker-controlled link. No authentication or special privileges are needed on the victim's system, and the attack surface is broad (any website the user visits). However, the attacker cannot initiate the exploit remotely without user action. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been documented as of the current date.
Remediation
Users should update Google Chrome on iOS to version 149.0.7827.53 or later. For enterprise environments managing iOS devices, ensure Mobile Device Management (MDM) policies enforce automatic Chrome updates or restrict users to updated versions. Alternatively, organizations can disable Chrome as a sanctioned browser and enforce Safari with appropriate security policies, though this requires administrative control over device enrollment.
Patch guidance
Verify the installed version of Chrome on iOS by opening the app, navigating to Settings > About Chrome, and confirming the version matches 149.0.7827.53 or higher. Patches are typically delivered through the Apple App Store automatically if auto-updates are enabled. Device administrators should audit Chrome deployment across managed iOS devices and enforce minimum version policies. Test patch deployment in a small cohort before rolling out organization-wide to ensure no application compatibility issues arise.
Detection guidance
Monitor network traffic for suspicious cross-origin requests originating from iOS devices running Chrome. Endpoint detection tools integrated with Mobile Threat Defense (MTD) solutions can flag exploitation attempts by analyzing webpage behavior. Server-side detection is limited but can include monitoring access logs for unusual patterns where authenticated sessions are accessed from unexpected origins or user agents. Focus detection efforts on high-value applications handling sensitive data and ensure robust content security policy (CSP) headers are in place to limit the impact of SOP bypasses.
Why prioritize this
This vulnerability should be prioritized for organizations with significant mobile workforce access to sensitive web applications. The CVSS 4.3 score and medium severity designation reflect the need for timely patching, but the lack of KEV status and active exploitation reporting suggests lower urgency than critical vulnerabilities. Prioritize patch deployment for users accessing financial, healthcare, or identity management portals; defer for environments where mobile browser usage is limited to public-facing applications.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) is driven by network accessibility without authentication (AV:N, PR:N) and the requirement for user interaction (UI:R). The impact is restricted to integrity (I:L)—attackers can modify or steal content—with no availability impact (A:N) and no confidentiality impact listed in the vector. While Chromium's internal severity rating was Low, the CVSS methodology elevates this to Medium due to the ease of exploitation and the fundamental nature of SOP bypass attacks. The moderate score reflects that real-world harm depends on how users interact with untrusted content while authenticated to sensitive sites.
Frequently asked questions
Does this vulnerability affect Chrome on other platforms like Android or Windows?
No, CVE-2026-11298 is specific to Chrome for iOS. Chrome on Android, Windows, macOS, and Linux have separate vulnerability tracks and patching schedules. However, organizations should verify that Chrome on all platforms is kept current as a general security practice.
If I use Safari instead of Chrome on iOS, am I protected?
Yes, Safari has a separate implementation of the same-origin policy and is not affected by this specific flaw. However, Safari may have its own vulnerabilities. Using Safari does not eliminate the need for user awareness—users should still avoid visiting untrusted websites when authenticated to sensitive applications.
Can an attacker exploit this without the user visiting a malicious website?
No, the attacker must trick the user into visiting a crafted webpage or clicking a malicious link. This is why user education and awareness remain critical. Users should be cautious about links in emails, messages, or untrusted sources, especially when logged into sensitive applications.
What does 'same-origin policy' protect against?
The same-origin policy is a cornerstone of web security that prevents JavaScript code from one website from accessing data belonging to another website. It ensures that even if you visit a malicious site while logged into your bank, the malicious site cannot steal your banking data. This vulnerability allows an attacker to circumvent that protection on iOS Chrome.
This analysis is based on publicly available information from the CVE database and Chromium security advisories as of the publication date. Vulnerabilities and patch status may evolve; security teams should consult official vendor advisories and test patches in non-production environments before deployment. This explainer is for informational purposes and does not constitute legal, compliance, or professional security advice. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Users are responsible for assessing the applicability of this vulnerability to their specific environment and maintaining their own vulnerability assessment and patch management practices. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11132MEDIUMChrome Same-Origin Policy Bypass in Paint Component