HIGH 7.5

CVE-2026-8881: Securly Chrome Extension Weak Cryptography Vulnerability (MD5 Key Derivation)

The Securly Chrome Extension version 3.0.7 uses weak cryptographic practices to encrypt data. Specifically, it relies on MD5—a hash algorithm broken for over two decades—combined with a single-iteration key derivation process to generate encryption keys. This means an attacker with network access could potentially recover encrypted data without needing valid credentials, as modern computing power can reverse the weak key derivation quickly.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8881 describes a cryptographic implementation flaw in Securly Chrome Extension 3.0.7. The extension uses EVP_BytesToKey with MD5 and a single iteration to derive AES encryption keys. MD5 collisions have been known since 2004, and the single iteration provides zero key stretching—a critical defense against brute-force attacks. Proper key derivation (such as PBKDF2, scrypt, or Argon2 with adequate iterations) would make key recovery computationally infeasible. The lack of iteration count means attackers can derive keys at speeds limited only by AES decryption performance, not by intentional computational delay.

Business impact

If user data encrypted by Securly 3.0.7 is intercepted, attackers can decrypt it without possessing the original encryption password. For an enterprise security tool, this undermines the confidentiality guarantee customers expect. Organizations relying on this extension for sensitive network policy enforcement, content filtering, or user activity logs face potential data breaches. The reputational and compliance implications are significant if encrypted audit trails or user data are exposed.

Affected systems

Securly Chrome Extension version 3.0.7 is affected. Users of this specific version on any platform where Chrome runs (Windows, macOS, Linux) are exposed. Newer and older versions require separate verification against Securly's advisory to determine the scope of the vulnerability.

Exploitability

The vulnerability is network-accessible and requires no authentication or user interaction (CVSS vector: AV:N/AC:L/PR:N/UI:N). An attacker must obtain encrypted data in transit or at rest, which is feasible if they control network segments, compromise cloud storage, or intercept extension communications. The barrier to exploitation is moderate: deriving keys via MD5 and single-iteration EVP_BytesToKey is computationally trivial compared to modern key derivation standards, but still requires awareness of the algorithm and access to encrypted ciphertext.

Remediation

Immediately upgrade Securly Chrome Extension to a patched version that implements modern key derivation functions (PBKDF2, scrypt, Argon2, or equivalent) with adequate iteration counts and a cryptographically secure hash (SHA-256 or stronger). Verify the patch version in Securly's official security advisory. Consider auditing logs of which users or systems may have been using version 3.0.7 in your environment, and assess whether any encrypted data created by that version requires re-encryption with the patched extension.

Patch guidance

Check Securly's official security advisory and Chrome Web Store listing for the patched version number. Deploy the update via your Chrome management policy or endpoint management platform. Chrome Enterprise and education deployments should enforce automatic updates for this extension. Test the patched version in a staging environment before production rollout to ensure compatibility with your deployment's policies and monitoring.

Detection guidance

Query Chrome Web Store and endpoint telemetry to identify machines running Securly extension version 3.0.7. Check extension version numbers in Chrome's extension management page (chrome://extensions) or via mobile device management (MDM) reports. Monitor for any re-encryption or data migration activities after patching to confirm users are no longer using the vulnerable version. Network sensors can log extension-initiated encryption operations, though identifying specific EVP_BytesToKey usage may require reverse-engineering or vendor-provided detection signatures.

Why prioritize this

This vulnerability scores 7.5 (HIGH) because it enables unauthenticated, remote confidentiality compromise of encrypted data. Although it does not allow code execution or data manipulation, the loss of encryption integrity for a security tool is a critical trust failure. The attack requires network access to ciphertext but no user interaction, making it a realistic threat in environments where Securly traffic is visible (compromised networks, insider threats, or man-in-the-middle positions). Organizations should prioritize patching based on the sensitivity of data encrypted by version 3.0.7.

Risk score, explained

CVSS 3.1 score of 7.5 reflects HIGH severity: Attack Vector (Network), Attack Complexity (Low), Privileges Required (None), User Interaction (None), and impact on Confidentiality (High). The metric does not reflect system-wide risk, which may be higher if the extension is widely deployed or lower if organization-specific exposure is limited. The vulnerability does not achieve CRITICAL (9.0+) because it does not enable integrity compromise, availability impact, or system takeover—it is confined to confidentiality loss of extension-encrypted data.

Frequently asked questions

Do I need to patch if my organization doesn't use Securly?

No. This vulnerability is specific to Securly Chrome Extension version 3.0.7. If your organization does not deploy this extension, there is no direct exposure.

What data is at risk if we're running version 3.0.7?

Any data encrypted by the extension using its built-in encryption feature is at risk if an attacker obtains the ciphertext. This may include filtered content logs, policy decisions, or any other data the extension encrypts before transmission or storage. Review Securly's documentation for your deployment to understand what data is encrypted.

Can we continue using version 3.0.7 if we don't rely on its encryption feature?

Not recommended. Even if your organization disables the extension's encryption, running an outdated version with known cryptographic flaws creates unnecessary risk and violates security hygiene. Upgrade to the patched version immediately.

Is there a workaround until patching is complete?

The primary mitigation is to upgrade. If you cannot patch immediately, minimize the extension's exposure by restricting it to trusted networks, disabling encryption features if possible, and avoiding transmission of sensitive data through systems running version 3.0.7. These are temporary measures only; patch as soon as feasible.

This analysis is based on publicly available vulnerability data as of the publication date and should not be considered legal or compliance advice. Organizations must verify patch availability and compatibility with their environment against Securly's official security advisory before deploying updates. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor patch timelines or version numbers; always consult vendor documentation as the authoritative source. Testing in non-production environments is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).