Description
Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the Actor component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to bypass navigation restrictions by delivering a crafted HTML page. This flaw permits a protected page to navigate to an arbitrary URL without user consent, enabling the browser to access resources that were intended to be blocked by policy. The impact is unauthorized navigation, not direct code execution.

Affected Systems

Google Chrome browsers below version 149.0.7827.53 are affected. Users running older legacy releases that have not yet been patched are at risk.

Risk and Exploitability

The CVSS score is 6.3 and EPSS is less than 1%, indicating a moderate severity but a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Based on the description, the attacker must provide a crafted HTML page that the victim’s browser will load; it is inferred that this could be delivered via a malicious website or compromised content. Once the page is rendered, the policy bypass allows navigation to disallowed URLs without user interaction, posing a moderate risk of malicious content delivery through redirected navigation.

Generated by OpenCVE AI on June 7, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Enable automatic updates for Chrome to ensure timely receipt of security patches.
  • If immediate upgrade is not possible, enforce stricter enterprise navigation policies or use web filtering to block prohibited sites.

Generated by OpenCVE AI on June 7, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient policy enforcement in Google Chrome allows navigation restriction bypass via crafted HTML chromium-browser: Insufficient policy enforcement in Actor
Weaknesses CWE-280
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Insufficient policy enforcement in Google Chrome allows navigation restriction bypass via crafted HTML

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Bypass of Navigation Restrictions via Insufficient Policy Enforcement
Weaknesses CWE-861

Fri, 05 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-602
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Bypass of Navigation Restrictions via Insufficient Policy Enforcement
Weaknesses CWE-861

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T12:51:22.267Z

Reserved: 2026-06-04T17:10:41.198Z

Link: CVE-2026-11184

cve-icon Vulnrichment

Updated: 2026-06-05T12:51:05.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:25.357

Modified: 2026-06-06T01:42:03.333

Link: CVE-2026-11184

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11184 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses
  • CWE-280

    Improper Handling of Insufficient Permissions or Privileges

  • CWE-602

    Client-Side Enforcement of Server-Side Security