Description
Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insufficiency in Chrome’s Actor policy enforcement that lets a remote attacker load a crafted HTML page to bypass navigation restrictions. This flaw enables an attacker to direct a user to URLs that should be blocked, potentially facilitating phishing or delivery of malicious content. The weakness represents a Medium severity issue from Chromium’s own assessment, indicating a non‑fatal but significant impact on user protection.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. A single update to that version or later resolves the problem. The flaw is limited to browsers using the Actor component, and does not impact the underlying operating system or other software.

Risk and Exploitability

The vulnerability is exploitable over the network by serving a specially crafted web page. Attackers would need to deliver the page to a user using a vulnerable Chrome build. Because no EPSS data is present and the flaw is not listed in the CISA KEV catalog, the likelihood of widespread exploitation is currently unclear, but the medium severity rating suggests moderate assessment importance. Upgrading to the patched release should eliminate the risk.

Generated by OpenCVE AI on June 5, 2026 at 02:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later, using the stable channel to obtain the fix.
  • Configure enterprise navigation policies (e.g., blocklist or whitelist URIs) to reinforce restrictions after the update.
  • Maintain an update schedule and monitor Google’s release notes for future patches or additional mitigations.

Generated by OpenCVE AI on June 5, 2026 at 02:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Navigation Restrictions Bypass via Policy Enforcement Flaw in Chrome
Weaknesses CWE-284

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:22.252Z

Reserved: 2026-06-04T17:06:30.447Z

Link: CVE-2026-11018

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:05.750

Modified: 2026-06-04T23:17:05.750

Link: CVE-2026-11018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:00:11Z

Weaknesses