Description
Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome’s Password Manager contains an improper implementation that allows a remote attacker to leak cross‑origin data through a crafted HTML page. When a user visits a malicious site, the browser can expose credentials that it would normally autofill for a different domain, leading to disclosure of sensitive login information. The vulnerability aligns with weaknesses such as missing authentication for critical functions and Cross‑Site Request Forgery (CWE-346, CWE-352). The issue represents a medium‑severity information exposure flaw.

Affected Systems

The issue affects Chrome on desktop operating systems. Any installation running a version of Chrome older than 149.0.7827.53 is vulnerable; earlier releases are also likely affected. The flaw does not depend on platform or administrative privileges, making it broadly applicable across Windows, macOS, and Linux users who use the default Password Manager.

Risk and Exploitability

The vulnerability is rated Medium with a CVSS score of 6.5. The EPSS score of less than 1 percent indicates a low likelihood that an active exploit will be seen in the wild, and it has not appeared in CISA’s KEV catalog. The likely attack vector is an attacker delivering a malicious web page (hosted over HTTP or HTTPS) that the victim visits, which triggers the inappropriate Password Manager behavior. No local privilege escalation or special network configuration is required; the attack is purely web‑based and remote.

Generated by OpenCVE AI on June 5, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or newer.
  • If an upgrade is not possible, disable the Password Manager component via enterprise policy or by clearing the toggle at chrome://settings/passwords to prevent autofill on any site.
  • Apply a browser extension or enforce policies that block autofill on third‑party origins, ensuring that passwords are only auto‑filled for explicitly trusted domains.

Generated by OpenCVE AI on June 5, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Password Manager Cross‑Origin Data Leak via Crafted HTML chromium-browser: Inappropriate implementation in Password Manager
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Chrome Password Manager Cross‑Origin Data Leak via Crafted HTML

Fri, 05 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Chrome Password Manager
Weaknesses CWE-200

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Chrome Password Manager
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:41:50.576Z

Reserved: 2026-06-04T17:06:46.199Z

Link: CVE-2026-11083

cve-icon Vulnrichment

Updated: 2026-06-05T14:28:13.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:13.103

Modified: 2026-06-08T14:35:29.507

Link: CVE-2026-11083

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:30:04Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-352

    Cross-Site Request Forgery (CSRF)