Description
Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in the Password Manager component of Google Chrome allows a remote attacker to send crafted network traffic that can cause the browser to display spoofed login prompts. This flaw can mislead a user into believing they are interacting with a legitimate password request, potentially leading to credential disclosure. The weakness is a classic input‑validation failure (CWE‑20).

Affected Systems

Google Chrome users running versions prior to 149.0.7827.53 are affected, as the vulnerability is only fixed in later releases. The flaw lies specifically within the Password Manager feature of the browser.

Risk and Exploitability

Chromium classifies the vulnerability with a medium severity. EPSS data is not available, and the KEV status indicates it is not listed in the CISA KEV catalog, suggesting limited public exploitation. The attack requires an attacker to deliver malicious traffic while the user employs the Password Manager, indicating a remote, user‑interaction‑based vector that can compromise credential confidentiality and integrity.

Generated by OpenCVE AI on June 5, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later, which includes the input‑validation fix.
  • If an immediate update is not possible, consider disabling or restricting the use of the Password Manager until the patch is installed to reduce the risk of UI spoofing.
  • Employ network controls, such as firewall rules or segmentation, to limit exposure of the browser to potentially malicious traffic.

Generated by OpenCVE AI on June 5, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Insufficient Validation in Google Chrome Password Manager

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:27.785Z

Reserved: 2026-06-04T17:06:33.451Z

Link: CVE-2026-11031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T23:17:07.157

Modified: 2026-06-05T15:02:59.990

Link: CVE-2026-11031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:45:33Z

Weaknesses