Description
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the Android Chrome WebView component allows a remote attacker to expose data from a different origin by serving a specially crafted HTML page. This flaw permits the retrieval of information that should be confined to its originating origin, compromising the confidentiality of the victim’s data. The weakness aligns with information‑exposure and access‑control concepts, corresponding to CWE‑200 and CWE‑285.

Affected Systems

The vulnerability affects Google Chrome for Android versions up to but not including 149.0.7827.53. Android users running a Chrome build older than 149.0.7827.53 are exposed.

Risk and Exploitability

The CVE carries a medium severity rating and is not flagged in the CISA KEV catalog. EPSS information is unavailable, so the probability of exploitation cannot be quantified, but the vulnerability requires the attacker to deliver a malicious HTML page to the target device, typically via a site or hosted content that the device’s Chrome WebView will load. With no current exploit available in the wild, the risk remains primarily contingent on the attacker’s ability to serve such content to the victim.

Generated by OpenCVE AI on June 5, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for Android to version 149.0.7827.53 or later.
  • For applications that embed WebView and must load untrusted content, configure the WebView client to enforce strict origin restrictions or disable access to data from other origins.
  • Audit and review any custom WebView implementations to ensure they adhere to the updated security policies and do not re‑enable the unpatched behavior.

Generated by OpenCVE AI on June 5, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Insufficient Policy Enforcement in Android Chrome WebView
Weaknesses CWE-200
CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:32.471Z

Reserved: 2026-06-04T17:10:39.363Z

Link: CVE-2026-11178

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:24.687

Modified: 2026-06-04T23:17:24.687

Link: CVE-2026-11178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses