CVE-2026-10922 - Vulnerability Details

Description

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. (Chromium security severity: High)

Published: 2026-06-04

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw arises from insufficient validation of untrusted input in the DevTools interface. A remote attacker can coerce a user into performing certain UI gestures, causing the browser to accept malicious network traffic and bypass the Same Origin Policy.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 on all desktop platforms are vulnerable. The issue is present in the stable channel and has been noted in Chromium issue 499164652.

Risk and Exploitability

Chromium rates this vulnerability as High. No EPSS score is available and it is not listed in the CISA KEV catalog. Exploitation would require social engineering to convince the user to interact with the specified gestures, and no public exploit has been confirmed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`149.0.7827.53`	affected	< 149.0.7827.53

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 149.0.7827.53 or newer.
Restrict access to DevTools or disable it for untrusted sites to reduce the attack surface.
Subscribe to Chrome security advisories and apply updates promptly to stay protected.

Generated by OpenCVE AI on June 5, 2026 at 01:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/499164652

History

Fri, 05 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
Title		Remote Same-Origin Policy Bypass via DevTools Input Validation Flaw

Thu, 04 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499164652

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:03:40.056Z

Updated: 2026-06-04T23:03:40.056Z

Reserved: 2026-06-04T17:06:07.055Z

Link: CVE-2026-10922

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T23:16:54.513

Modified: 2026-06-04T23:16:54.513

Link: CVE-2026-10922

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T01:15:15Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object