Description
Insufficient validation of untrusted input in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from insufficient validation of untrusted input in the WebAuthentication component of Google Chrome. This input validation weakness (CWE‑20) coupled with potential cross‑site scripting (CWE‑79) allows a crafted HTML page to bypass the same‑origin policy. The attacker, after compromising the renderer process, can read or interact with resources from a domain that would normally be disallowed, compromising confidentiality and potentially enabling further internal movement.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. The flaw exists in the stable channel and applies to Chrome running on Windows, macOS, and Linux. All users on those platforms should update to the June 2026 security release or later.

Risk and Exploitability

Chromium assigns this flaw a CVSS score of 3.1, reflecting low severity. The EPSS score is less than 1%, indicating that exploitation is unlikely and no public exploits are documented. The vulnerability requires that the attacker already has control of the renderer process; it cannot be triggered solely from a remote network connection. It is not listed in the CISA KEV catalog, further supporting a limited threat profile.

Generated by OpenCVE AI on June 7, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later
  • Disable or limit the use of WebAuthentication if possible within the application context
  • Ensure that the renderer process is isolated from untrusted content

Generated by OpenCVE AI on June 7, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in WebAuthentication
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Same-origin Policy Bypass via Untrusted WebAuthentication Input

Fri, 05 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Same-origin Policy Bypass via Untrusted WebAuthentication Input

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T12:15:14.764Z

Reserved: 2026-06-04T17:11:02.259Z

Link: CVE-2026-11244

cve-icon Vulnrichment

Updated: 2026-06-05T12:12:14.284Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:00.727

Modified: 2026-06-05T16:43:57.710

Link: CVE-2026-11244

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')