Description
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Chrome for iOS Signin implementation allows a remote adversary to craft an HTML page that bypasses navigation restrictions. The vulnerability is classified as a medium severity issue by Chromium. If exploited, the attacker can cause the browser to navigate to pages or capabilities that should normally be blocked, potentially leading to unauthorized access or data exposure within the browsing context. The weakness reflects improper enforcement of navigation policies, an access control issue that undermines the intended security controls.

Affected Systems

Google Chrome for iOS – versions older than 149.0.7827.53. Users running the mentioned or any earlier stable channel are vulnerable. No specific device or OS version constraints beyond iOS are listed.

Risk and Exploitability

The EPSS score is less than 1%, indicating a low probability of exploitation, and the CVSS score of 6.5 classifies the vulnerability as medium severity. The lack of a publicly known exploit and absence from the CISA KEV catalog suggest a lower likelihood of widespread exploitation. Nonetheless, the vulnerability can be triggered from a remote web page, implying that any user opening a malicious site while Chrome is active could be affected. The attack vector is clearly remote via network.

Generated by OpenCVE AI on June 5, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on iOS to version 149.0.7827.53 or later via the App Store
  • Avoid opening potentially malicious links or sites in Chrome until the update is installed to reduce exposure
  • Use Safari or another browser for sensitive sign-in activities until the update is applied as a temporary workaround

Generated by OpenCVE AI on June 5, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome iOS Signin Improper Navigation Control Allows Remote Navigation Bypass chromium-browser: chromium-browser: Inappropriate implementation in Signin
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Chrome iOS Signin Improper Navigation Control Allows Remote Navigation Bypass

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Remote Navigation Restriction Bypass via Crafted HTML in Chrome iOS Signin
Weaknesses CWE-862

Fri, 05 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Remote Navigation Restriction Bypass via Crafted HTML in Chrome iOS Signin
Weaknesses CWE-862

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Iphone Os
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T15:35:47.778Z

Reserved: 2026-06-04T17:10:47.721Z

Link: CVE-2026-11204

cve-icon Vulnrichment

Updated: 2026-06-05T14:46:24.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:27.590

Modified: 2026-06-06T01:59:26.910

Link: CVE-2026-11204

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11204 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:15:09Z

Weaknesses