Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A violation of policy enforcement in the DevTools component of Google Chrome permits an attacker to cause a user, after the user has installed a malicious extension, to expose data from a different origin. The flaw allows the extension to bypass normal same‑origin restrictions and read content that should be inaccessible, thereby constituting an information disclosure vulnerability. The weakness is an inadequate enforcement of access controls on DevTools‑related APIs, and it can lead to the leak of sensitive information to an attacker.

Affected Systems

This issue affects Google Chrome installations on Windows, macOS, and Linux that are prior to version 149.0.7827.53. Users running earlier versions remain vulnerable. No third‑party products are listed.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3 and an EPSS score of less than 1%, and it is not listed in CISA's KEV catalog. It is classified as medium severity in Chromium. Attackers would need to persuade a user to install a malicious extension and then rely on the DevTools policy gap to read cross‑origin data. Exploitation requires the user to have enabled the extension, so while the threat exists, the probability of exploitation in the wild is uncertain but non‑zero. Given the lack of public exploitation reports, the risk remains moderate; however, the potential for confidential information leakage warrants prompt mitigation.

Generated by OpenCVE AI on June 7, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or newer
  • Review and remove any suspicious or untrusted extensions
  • Enforce enterprise policies that block installation of unverified extensions

Generated by OpenCVE AI on June 7, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Gap Enables Cross‑Origin Data Leakage chromium-browser: Insufficient policy enforcement in DevTools
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Gap Enables Cross‑Origin Data Leakage

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Enforcement Vulnerability Allows Cross-Origin Data Leak via Malicious Extension
Weaknesses CWE-200

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Enforcement Vulnerability Allows Cross-Origin Data Leak via Malicious Extension
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:31:41.610Z

Reserved: 2026-06-04T17:10:51.452Z

Link: CVE-2026-11212

cve-icon Vulnrichment

Updated: 2026-06-05T14:31:36.475Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:28.573

Modified: 2026-06-06T01:58:11.750

Link: CVE-2026-11212

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11212 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses