CVE-2026-8889: Securly Chrome Extension SHA-1 Hashing Vulnerability (CVSS 7.5)
Securly's Chrome Extension version 3.0.7 relies on SHA-1 hashing—a cryptographically weak algorithm—to validate URLs against two critical blocklists: the Internet Watch Foundation (IWF) CSAM database and CIPA compliance rules. SHA-1's collision vulnerabilities mean an attacker could craft a malicious URL that hashes to the same value as a legitimate blocked URL, potentially bypassing content filtering controls that organizations depend on for legal compliance and child safety.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-407
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8889 identifies the use of deprecated SHA-1 hashing in Securly 3.0.7 for two distinct URL matching functions: IWF CSAM hash matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes). SHA-1 is vulnerable to practical collision attacks, allowing an adversary to construct URLs that collide with existing hashes in these blocklists. The vulnerability maps to CWE-407 (Reliance on Untrusted Inputs in a Security Decision), as the hash collision could cause the extension to make incorrect filtering decisions. With a CVSS 3.1 score of 7.5 (high severity), the attack requires no authentication or user interaction and operates over the network, but confidentiality impact dominates the score rather than availability or integrity metrics.
Business impact
Organizations using Securly 3.0.7 for CIPA compliance or child safety may face regulatory exposure if the hash collision vulnerability allows prohibited content to reach end users. Schools and libraries relying on the extension for mandatory content filtering could face CIPA audit findings or legal liability if blocked material bypasses the filter due to a crafted URL. Reputational damage and loss of institutional trust are risks if the filtering failure is discovered or exploited.
Affected systems
The vulnerability affects Securly Chrome Extension version 3.0.7 specifically. Scope is limited to users running this version; patched or updated versions are not affected. Chrome browser deployments on Windows, macOS, and Linux are potentially vulnerable if version 3.0.7 is installed. Enterprise deployments via Chrome policies should verify their pinned or default extension versions.
Exploitability
Exploitability is moderate-to-high in a targeted scenario. An attacker must craft a URL whose SHA-1 hash collides with an existing entry in either the IWF CSAM or CIPA blocklist. While SHA-1 collision generation is computationally feasible (proven techniques exist in academic literature), it requires deliberate effort and is not a trivial on-the-fly operation. However, once a collision is generated, the bypass is deterministic and reliable. Active exploitation in the wild is not documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Upgrade Securly Chrome Extension to a version implementing cryptographically strong hashing (SHA-256 or SHA-3) for both IWF CSAM and CIPA blocklist matching. Verify the patched version in the Chrome Web Store or via Securly's official release notes. Organizations should prioritize deployment in test environments first, then roll out to production via managed Chrome policies to ensure uniform coverage.
Patch guidance
Check the Securly Chrome Web Store listing or official Securly advisory for the patched version number. If automatic updates are enabled, the extension should self-update to the remediated version. For managed deployments, administrators should verify the pinned extension version in Chrome policies and update it to the recommended patched release. Document the update in your change management system and test in a pilot group before full rollout. Securly's security advisory should specify the affected and remediated versions; cross-reference that guidance before deploying.
Detection guidance
Monitor Chrome extension versions in your environment using MDM/EMM tooling or Chrome extension reporting APIs. Flag any machines running Securly version 3.0.7 and prioritize them for patching. Review proxy logs or endpoint detection for anomalous unblocked content (though this is indirect). Securly administrators can query their deployment dashboards to identify affected clients. Consider adding a detection rule to your SIEM if Securly provides telemetry or logs that include extension version numbers.
Why prioritize this
HIGH priority. Although exploitation requires deliberate SHA-1 collision crafting and is not currently widespread, the impact on regulatory compliance (CIPA) and child safety make this a business-critical fix. Educational and public libraries using Securly for mandated filtering should remediate within 30 days. The high CVSS score, combined with the reputational and legal risks of a filtering bypass, justifies accelerated patching even in the absence of active exploit code.
Risk score, explained
CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible attack requiring no authentication or user interaction (AV:N/AC:L/PR:N/UI:N). The Confidentiality impact is High because successful URL hash collision could expose blocked (CSAM or age-inappropriate) content to users who should not see it. Integrity and Availability are marked as None because the extension does not become unstable or corrupt; the risk is information disclosure via bypass, not system compromise. The lack of Scope change (S:U) indicates the impact is limited to the confidentiality decision-making of the extension itself, not a broader system compromise.
Frequently asked questions
What is the practical risk if we run Securly 3.0.7?
Your organization's content filtering may be bypassed if an attacker crafts a malicious URL that SHA-1-collides with a blocked URL in Securly's blocklists. The likelihood depends on whether such URLs are actively deployed against your environment. For CIPA-regulated institutions, any bypass of mandated filtering could trigger audit findings or compliance violations.
Do I need to update immediately, or can I wait for a maintenance window?
Upgrade within 30 days. If your organization uses Securly for regulatory compliance (CIPA) or child safety in schools/libraries, prioritize the update in your next available maintenance window—ideally within 2 weeks. The vulnerability is not yet listed as actively exploited, but the compliance and reputational risks are significant enough to justify expedited patching.
How do I know if I have Securly 3.0.7 installed?
Check the Chrome Extensions page (chrome://extensions) and look for Securly in the installed list; it will display the version number. For managed deployments, use your MDM console or Chrome policy reporting to scan all devices. Securly's admin dashboard may also show client versions.
Will updating break any filtering rules or policies I've configured?
No. The patch preserves all configured policies and blocklists; it only changes the hashing algorithm from SHA-1 to a stronger one. After updating, your filtering should work identically but with stronger cryptographic integrity. Test in a pilot group if you want confirmation before broad rollout.
This analysis is based on the published CVE record and vendor advisories current as of June 2026. Patch version numbers and release dates should be verified directly against Securly's official security advisory and Chrome Web Store listing before deployment. SEC.co does not provide legal advice regarding CIPA compliance; consult your institution's legal counsel for regulatory implications. This vulnerability is not currently listed in CISA's KEV catalog and no public exploit code is known, but security postures should evolve as new information emerges. Organizations should conduct testing in non-production environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42504HIGHMIME Header CPU Exhaustion Denial of Service – Patch Guidance
- CVE-2026-8594MEDIUMText::LineFold Denial of Service via Output Duplication
- CVE-2026-8874HIGHSecurly Chrome Extension Cleartext Configuration Download Vulnerability
- CVE-2026-8876HIGHHardcoded AES Keys in Securly Chrome Extension 3.0.7
- CVE-2026-8878HIGHSecurly Chrome Extension 3.0.7 Exposes Password Hashes via Weak Encryption
- CVE-2026-8879HIGHSecurly Chrome Extension 3.0.7 Availability Denial – Blank Page on Service Outage
- CVE-2026-8881HIGHSecurly Chrome Extension Weak Cryptography Vulnerability (MD5 Key Derivation)
- CVE-2026-8888HIGHSecurly Chrome Extension HTTP Regex DoS Vulnerability