CVE-2026-8874: Securly Chrome Extension Cleartext Configuration Download Vulnerability
Securly Chrome Extension version 3.0.7 downloads security configuration files—specifically crisis alert keywords and filtering rules—over plain HTTP instead of the encrypted HTTPS protocol. While the same extension correctly uses HTTPS for other sensitive data (IWF and CIPA filtering data), this inconsistency leaves downloaded crisis alert configurations vulnerable to interception and modification by network-positioned attackers. An attacker on the same network could intercept these files and inject malicious keywords or rules, potentially disrupting the extension's security functionality or causing it to behave unexpectedly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
- Weaknesses (CWE)
- CWE-319
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8874 involves cleartext transmission of JSON configuration files via HTTP in Securly version 3.0.7. The vulnerability stems from inconsistent TLS implementation: the extension's Fetch API calls for crisis alert keywords and filtering rules lack encryption, while other endpoints (IWF, CIPA) properly enforce HTTPS. This mixed-mode approach creates a CWE-319 (Cleartext Transmission of Sensitive Information) flaw. An attacker with network access (AV:A) can passively intercept or actively modify these JSON files without authentication (PR:N) or user interaction (UI:N). The impact includes confidentiality loss (sensitive configuration exposure) and high integrity risk (rules can be altered), with no direct availability impact. The CVSS 3.1 score of 7.1 (HIGH) reflects the integrity concern in a network-adjacent threat model.
Business impact
For organizations deploying Securly to manage internet access and content filtering across student or employee devices, this vulnerability creates compliance and operational risk. Crisis alert keywords—used to identify and flag concerning user behavior—are now potentially observable and modifiable by network attackers. Tampering with these configurations could blind the extension to genuine alerts, delay incident response, or cause false alarms. Schools and enterprises relying on Securly for duty-of-care monitoring (particularly in K-12 environments) may face regulatory exposure if compromised rules fail to detect genuine safety incidents. The HIGH severity rating underscores the need for prompt remediation before widespread deployment of vulnerable versions.
Affected systems
Securly Chrome Extension version 3.0.7 is affected. The vulnerability applies to any deployment where the extension is installed on devices connected to networks where HTTP traffic can be intercepted—including open WiFi, corporate networks without robust network segmentation, or environments where an attacker has gained network-adjacent access. The scope is limited to this specific extension version; verify your installed version via chrome://extensions/ or your organization's device management platform.
Exploitability
Exploitation requires network-adjacent positioning (the same network segment as the target device) but no user interaction, authentication, or sophisticated tooling. An attacker can passively sniff HTTP traffic to intercept JSON configuration files or use techniques like ARP spoofing or DNS hijacking to actively redirect requests. The AC:L (Low Complexity) rating reflects the straightforward nature of HTTP interception. However, real-world exploitation likelihood is constrained by the need for network access and the typical use case (managed enterprise or school networks) where such positioning may be detected. The vulnerability is not known to be exploited in the wild (KEV status: Not listed).
Remediation
Upgrade Securly Chrome Extension immediately to a version that enforces HTTPS for all configuration downloads, including crisis alert keywords and filtering rules. Consult the Securly security advisory or release notes to identify the first patched version (expected to be 3.0.8 or later). For organizations managing deployments via Chrome Enterprise or similar tools, force-push the updated extension to all affected devices. As an interim control, enforce network-level rules (DNS filtering, proxy inspection) to detect and block cleartext configuration downloads, though this does not eliminate the underlying vulnerability.
Patch guidance
1. Access Securly's official security advisory or release notes to confirm the patch version number. 2. If you manage Securly via Chrome Enterprise, Google Workspace, or similar MDM, update the deployment to the patched version and trigger automatic updates across managed devices. 3. For unmanaged or BYOD scenarios, ensure users are notified to manually update the extension via the Chrome Web Store. 4. Verify successful remediation by confirming all devices are running the patched version (chrome://extensions/ shows version >= the patched release). 5. After patching, monitor Securly logs for any anomalies during the update rollout. Verify against the vendor advisory for exact version numbers and timelines.
Detection guidance
Network defenders can detect exploitation attempts by monitoring for HTTP requests to Securly's configuration servers (look for JSON payloads in cleartext HTTP flows). Log any alerts from web filtering or DLP tools flagging unencrypted transmission of configuration data. On endpoints, check Securly Chrome Extension logs (if accessible) for any configuration load errors or mismatches post-patch. Monitor for unexpected changes in crisis alert rules or keyword definitions that might indicate tampering. DNS logs can reveal redirection attempts targeting Securly configuration endpoints.
Why prioritize this
This vulnerability merits HIGH priority despite its network-adjacent attack vector because: (1) integrity impact is significant—maliciously modified alert rules directly undermine the extension's core safety function; (2) deployment scope is broad in K-12 and enterprise environments where Securly is commonly mandated; (3) the inconsistency (HTTPS used elsewhere in the extension) is a configuration error easily corrected; (4) organizations in regulated sectors (education, healthcare) face compliance exposure if filtering rules are compromised. Prioritize patching ahead of other medium-risk issues.
Risk score, explained
CVSS 3.1 score of 7.1 (HIGH) is justified by: Attack Vector: Adjacent Network (AV:A)—requires network proximity but not internet-wide exploitability. Attack Complexity: Low (AC:L)—HTTP interception is trivial. Privileges Required: None (PR:N)—no authentication needed. User Interaction: None (UI:N)—automatic background downloads. Scope: Unchanged (S:U)—impacts only the Securly extension and its configuration. Confidentiality: Low (C:L)—configuration files are exposed but not typically the primary asset. Integrity: High (I:H)—rules can be modified, directly affecting security posture. Availability: None (A:N)—no direct denial-of-service. The HIGH rating reflects the integrity risk in a network-scoped scenario; in internet-facing applications, the AV:A constraint would lower the score. However, for a Chrome Extension deployed in managed networks, nearby attack positions are realistic.
Frequently asked questions
How do I know if my organization uses Securly 3.0.7?
Check chrome://extensions/ on any managed device and look for the Securly extension version number. If you administer devices via Google Workspace, Chrome Enterprise, or an MDM platform, query the device inventory to filter for Securly versions. Contact your IT department or Securly account representative to confirm the deployed version across your fleet.
Can an attacker outside our network exploit this?
No. The vulnerability requires network-adjacent access (the same local network or a routed network segment where the attacker can intercept or redirect traffic). Remote, internet-based attackers cannot exploit this flaw. However, if your network boundaries are porous or VPN access is compromised, the attack surface expands.
What exactly can an attacker do by modifying the crisis alert rules?
An attacker can inject, remove, or modify keywords and patterns used by Securly to detect concerning behavior (e.g., self-harm, violence, or other safety risks). This could cause genuine alerts to be missed, false alerts to trigger, or the extension to prioritize the attacker's chosen alerts. In a school environment, this could impair the ability to detect and respond to student safety incidents.
Is this currently being exploited?
No. This vulnerability is not listed on CISA's KEV (Known Exploited Vulnerabilities) catalog, and no public exploit code is available. However, the simplicity of HTTP interception means opportunistic exploitation by network-adjacent attackers is possible if left unpatched in vulnerable environments.
This analysis is provided for informational and defensive purposes. SEC.co does not provide exploit code or weaponization guidance. Patch version numbers and timelines must be verified against Securly's official security advisory. Organizations should conduct internal testing before deploying patches in production. This advisory does not constitute legal or compliance advice; consult your legal and compliance teams regarding regulatory obligations related to security tool integrity. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34126HIGHTP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C
- CVE-2023-52951MEDIUMSynology Note Station Client Cleartext Credential Transmission Vulnerability
- CVE-2026-10584MEDIUMGraph Explorer HTTPS Fallback to HTTP Vulnerability
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2026-36610MEDIUMMercusys AC12G EU Plaintext DDNS Credential Disclosure
- CVE-2026-43625MEDIUMCodexBar Session Cookie Leakage – Urgent Patch Required
- CVE-2026-7666LOWDjango SMTP Email Backend STARTTLS Fallback Vulnerability
- CVE-2026-8876HIGHHardcoded AES Keys in Securly Chrome Extension 3.0.7