Description
Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the policy enforcement for ServiceWorker in Google Chrome allows a remote attacker, by providing a crafted HTML page, to read data that originates from a different origin. The vulnerability is characterized by insufficient boundary checks, enabling the attacker to bypass normal same‑origin restrictions and leak sensitive information. The impact is therefore the unauthorized disclosure of data that should be protected by browser‑origin policies. The flaw is classified as CWE‑346, representing a missing policy enforcement on sensitive functionality.

Affected Systems

The issue affects Google Chrome versions prior to 149.0.7827.53. Any installation of this Chrome release running on a desktop that has ServiceWorker enabled is potentially vulnerable. The problem does not extend to later Chrome releases that contain the fix.

Risk and Exploitability

The EPSS score is less than 1%, indicating a very low likelihood of exploitation. The CVSS base score is 6.5, reflecting a medium severity. However, the vulnerability allows a local HTML page to request resources across origins, exploiting Chrome’s ServiceWorker implementation; this attack vector is feasible in a browser context with a crafted page. The overall risk is moderate, with the likelihood of exploitation dependent on an attacker’s ability to serve a malicious page to the target user. The lack of a KEV listing suggests that this issue is not an actively exploited vulnerability at present.

Generated by OpenCVE AI on June 7, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or newer
  • Configure the Chrome policy setting to disable ServiceWorker usage for untrusted origins
  • Monitor browser activity for anomalous cross‑origin resource requests

Generated by OpenCVE AI on June 7, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title ServiceWorker Policy Enforcement Weakness Enables Cross‑Origin Data Leak in Chrome chromium-browser: Policy bypass in ServiceWorker
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title ServiceWorker Policy Enforcement Weakness Enables Cross‑Origin Data Leak in Chrome

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:42:40.917Z

Reserved: 2026-06-04T17:10:49.639Z

Link: CVE-2026-11206

cve-icon Vulnrichment

Updated: 2026-06-05T14:42:35.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:27.813

Modified: 2026-06-06T01:59:18.047

Link: CVE-2026-11206

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11206 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:00:13Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-693

    Protection Mechanism Failure