Description
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome’s Autofill feature, before version 149.0.7827.53, contained insufficient policy enforcement that allows a remote attacker to bypass discretionary access control protections. By sending a specifically crafted HTML page to the victim’s browser, the attacker can gain unauthorized privileges or cause the browser to perform actions it should be prohibited from executing. This results in a breach of confidentiality, integrity, or availability of the user’s data within the Chrome environment.

Affected Systems

The vulnerability affects desktop installations of Google Chrome with versions earlier than 149.0.7827.53. No operating‑system restrictions were identified; the flaw is present on any platform where such an old Chrome build is run.

Risk and Exploitability

The CVE is classified as medium severity and is not listed in CISA KEV, and the EPSS score is unavailable. The attack vector is inferred to be remote, delivered via a crafted HTML page that the user interacts with, implying that any user visiting a malicious site while running an affected Chrome version could be compromised. Given the lack of public exploit data, exploitation probability is considered moderate.

Generated by OpenCVE AI on June 5, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later
  • If updating is delayed, disable or restrict the Autofill feature via Chrome policy or settings to prevent the abused functionality
  • Ensure that the browser update mechanism remains enabled so future patches are applied promptly

Generated by OpenCVE AI on June 5, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Weaknesses CWE-285
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:14.090Z

Reserved: 2026-06-04T17:06:58.099Z

Link: CVE-2026-11135

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:19.640

Modified: 2026-06-04T23:17:19.640

Link: CVE-2026-11135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:15:25Z

Weaknesses