Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in Chrome’s handling of navigation requests from extensions that have permission to override default navigation policies. An attacker who convinces a user to install a malicious extension can use that extension to bypass restrictions that normally prevent navigation to certain URLs, such as blocked domains or unsafe content. This gives the attacker authorized control over where the user’s browser can navigate, undermining protection against phishing or malware sites.

Affected Systems

Google Chrome on all supported platforms (Windows, macOS, Linux, Chrome OS) is affected in versions prior to 149.0.7827.53; any user running an older version and who installs an untrusted extension is at risk.

Risk and Exploitability

Chromium classifies this vulnerability as Medium severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires the user to install a malicious extension, meaning attackers must persuade or trick users into installing the extension, often via deceptive web pages or compromised sites. Once installed, the extension can override navigation restrictions, potentially redirecting users to malicious destinations. While the threat is not as high as some zero‑day exploits, it remains a low‑to‑moderate priority risk and should be mitigated promptly by applying the official Chrome update.

Generated by OpenCVE AI on June 5, 2026 at 04:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Disable or uninstall any untrusted or unfamiliar extensions.
  • Avoid installing extensions from unknown or unverified sources and verify extension permissions before installation.

Generated by OpenCVE AI on June 5, 2026 at 04:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Malicious Chrome Extension Can Bypass Navigation Restrictions
Weaknesses CWE-284

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:25.705Z

Reserved: 2026-06-04T17:06:32.252Z

Link: CVE-2026-11026

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:06.597

Modified: 2026-06-04T23:17:06.597

Link: CVE-2026-11026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:30:31Z

Weaknesses