Description
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the Android Chrome WebView component allows a remote attacker to expose data from a different origin by serving a specially crafted HTML page. This flaw permits the retrieval of information that should be confined to its originating origin, compromising the confidentiality of the victim’s data. The weakness aligns with information‑exposure and access‑control concepts, corresponding to CWE-200, CWE-285 and CWE-346.

Affected Systems

The vulnerability affects Google Chrome for Android versions up to but not including 149.0.7827.53. Android users running a Chrome build older than 149.0.7827.53 are exposed.

Risk and Exploitability

The CVE has a CVSS score of 4.3, which is considered low severity, and is not listed in the CISA KEV catalog. EPSS score is <1%, indicating a very low probability of exploitation in the wild. Based on the description, the likely attack vector involves delivering a malicious HTML page that the device’s Chrome WebView will load, typically via a site or hosted content that the device’s WebView will render. With no current exploit available in the wild, the risk remains primarily contingent on the attacker’s ability to serve such content to the victim.

Generated by OpenCVE AI on June 5, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for Android to version 149.0.7827.53 or later.
  • For applications that embed WebView and must load untrusted content, configure the WebView client to enforce strict origin restrictions or disable access to data from other origins.
  • Audit and review any custom WebView implementations to ensure they adhere to the updated security policies and do not re‑enable the unpatched behavior.

Generated by OpenCVE AI on June 5, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Policy bypass in WebView
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Insufficient Policy Enforcement in Android Chrome WebView

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Insufficient Policy Enforcement in Android Chrome WebView
Weaknesses CWE-200
CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:46:07.522Z

Reserved: 2026-06-04T17:10:39.363Z

Link: CVE-2026-11178

cve-icon Vulnrichment

Updated: 2026-06-05T16:36:58.761Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:24.687

Modified: 2026-06-08T14:20:42.970

Link: CVE-2026-11178

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11178 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T19:15:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-285

    Improper Authorization

  • CWE-346

    Origin Validation Error