CVE-2026-11695: Chrome Password Feature Cross-Origin Data Leak
Google Chrome prior to version 149.0.7827.103 contains a flaw in its password handling logic that could allow an attacker to leak sensitive data across website boundaries. An attacker would need to craft a malicious HTML page and convince a user to visit it, but the vulnerability itself does not require the user to take additional actions beyond normal browsing. The leaked data is restricted to information accessible within the browser context of the affected user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from an inappropriate implementation in Chrome's password feature that fails to properly isolate data between different website origins. Classified under CWE-693 (Insufficient Protection of Assets Against Unauthorized Access), the flaw permits a remote, unauthenticated attacker to exfiltrate cross-origin data via a specially crafted HTML page. The attack vector is network-based with low complexity, requires user interaction (visiting a malicious page), and results in confidentiality impact without affecting integrity or availability. Chromium security researchers designated this as High severity within their internal framework.
Business impact
This vulnerability primarily threatens users whose browsers store sensitive credentials or session data. Organizations managing users who rely on Chrome for accessing sensitive web applications face a risk that attackers could extract authentication tokens, session identifiers, or other cross-origin data. The attack requires social engineering—tricking a user into visiting a malicious site—but the payload requires no exploitation of other flaws. For enterprises using Chrome as an approved browser, this represents a data leakage risk that could compromise access controls or credential integrity if cached secrets are exposed.
Affected systems
Google Chrome on Windows, macOS, and Linux distributions are affected. All versions prior to 149.0.7827.103 contain the vulnerability. Since Chrome updates automatically on most systems, the affected population shrinks rapidly once patches are released, but organizations with auto-update disabled or browsers in isolated environments remain at risk.
Exploitability
Exploitation requires no special privileges or complex attack infrastructure. An attacker crafts a malicious HTML page and distributes it through phishing, malvertising, or compromised websites. User interaction is mandatory—the victim must visit the attacker-controlled page while logged into sensitive sites. The low complexity and network-based vector make this practical for targeted campaigns against high-value targets, though mass exploitation is less likely given the social engineering requirement.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Most users benefit from Chrome's automatic update mechanism, which deploys patches within days of release. Organizations should verify patch deployment through their endpoint management tools and confirm that auto-update has not been disabled via group policy or configuration management. Users on unsupported platforms should upgrade their operating systems or migrate to supported browsers.
Patch guidance
Patch deployment for Chrome is straightforward due to its automatic update architecture. Verify the installed version in Chrome's settings (three-dot menu → Help → About Google Chrome) and confirm it displays 149.0.7827.103 or higher. Organizations using managed deployments can enforce updates through group policies on Windows or configuration management on macOS and Linux. If auto-update is disabled, re-enable it or schedule manual updates. For enterprise environments, test patch compatibility in non-production browsers before broad rollout, though Chrome's standard release process typically minimizes compatibility risk.
Detection guidance
Detection of exploitation attempts is challenging because successful attacks leave minimal forensic traces—the attacker merely reads data already present in the browser. Monitor for unusual network connections from browsers to unexpected external domains, though this may generate noise in normal web browsing. More effective is tracking Chrome version adoption rates across the organization: confirm that the vast majority of deployed instances report version 149.0.7827.103 or later. Endpoint detection and response (EDR) tools may flag suspicious page interactions if they correlate with credential-stealing patterns, but this requires tuning to avoid false positives. Focus detection efforts on users who visit high-risk external sites or receive phishing emails, as these users face the highest attack probability.
Why prioritize this
Although the CVSS score of 4.3 (Medium) suggests lower priority, context matters. The attack requires only network access and user interaction, with zero additional exploitation complexity, making it practical for attackers. The impact—leaking cross-origin data and potentially session credentials—could lead to unauthorized access to sensitive applications. However, the mandatory user interaction step provides a natural control; users who avoid suspicious links face significantly reduced risk. Prioritize patching for users in high-risk roles or those who handle sensitive data, then extend to the broader user base. The rapid deployment cycle of Chrome patches means full remediation is achievable within days to weeks for most organizations.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability with low attack complexity and required user interaction, resulting in low confidentiality impact and no integrity or availability impact. Chromium's internal severity designation of 'High' reflects that password-related flaws receive elevated scrutiny regardless of technical CVSS metrics. The discrepancy highlights that CVSS measures technical exploitability, not business consequence; leaking cross-origin data through password features is treated seriously by browser vendors even when the attack surface is somewhat constrained. The absence of a CISA KEV listing underscores that this is not yet observed in active, widespread exploitation.
Frequently asked questions
Could an attacker steal my passwords directly with this flaw?
No. The vulnerability leaks cross-origin data accessible within the browser context, not passwords stored in Chrome's encrypted vault. However, attackers could potentially exfiltrate session tokens or authentication data if they are exposed in page context.
Do I need to change my passwords after this vulnerability was announced?
If you were using a vulnerable version and visited untrusted sites during the window before patching, it is prudent to change passwords for sensitive accounts as a precaution. However, the attack requires a user to visit a malicious page; passive browsing of legitimate sites poses no risk.
How long do I have to patch before attackers exploit this?
Chromium released the patch on June 9, 2026, and most Chrome users auto-update within days. The vulnerability is not on the CISA KEV list, indicating no observed exploitation in the wild as of the latest update. Nevertheless, patch urgently; attackers typically begin targeting high-value users shortly after public disclosure.
Will this affect Chrome on my mobile device?
Mobile versions of Chrome (on iOS and Android) are also affected. Update through your device's app store or rely on automatic updates. iOS users should ensure they are running the latest version of Chrome; some iOS restrictions may slow Chrome patching relative to desktop versions.
This analysis is based on vulnerability data published as of June 17, 2026, and reflects publicly available information. CVSS scores and severity ratings are provided by the National Vulnerability Database and Chromium security researchers and are subject to revision. Patch version numbers, affected product lists, and KEV status must be verified against official vendor advisories and CISA sources before making deployment decisions. This document does not constitute security advice for any specific organization; consult your security team and vendor documentation when planning remediation. No proof-of-concept code, exploit techniques, or weaponized payloads are provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11206MEDIUMChrome Service Worker Data Leak Vulnerability – CVSS 6.5
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling
- CVE-2026-11264MEDIUMContent Security Policy Bypass in Chrome – Patch to 149.0.7827.53
- CVE-2026-11266MEDIUMChrome Safe Browsing Bypass Vulnerability — Patch v149.0.7827.53
- CVE-2026-11288MEDIUMCross-Origin Data Leak via CSS in Chrome – Patch Guidance