Description
Insufficient policy enforcement in Content Settings in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome prior to version 149.0.7827.53 did not correctly enforce policy rules for Content Settings, allowing a remote attacker to craft a malicious HTML page that could bypass normal discretionary access controls. The flaw is an Improper Authorization weakness (CWE‑284). The consequence is that a user visiting the malicious page could alter Chrome’s content settings, potentially enabling further malicious actions such as tracking, cookie injection, or HTTPS overrides. The attacker thereby gains unauthorized configuration privileges that could facilitate subsequent attacks.

Affected Systems

Google Chrome browsers running any platform version earlier than 149.0.7827.53 are affected. The issue arises from shared policy enforcement code and impacts all operating systems supported by Chrome.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The Chromium security team rated the issue as low severity. The vulnerability is exploitable through a remote attack vector: a victim must open a crafted web page in Chrome. No privileged escalation is required; any user who loads the page can trigger the bypass. While the impact is limited to policy configuration, an adversary could chain this to more damaging actions, so the risk is moderate in environments where sensitive content settings are critical.

Generated by OpenCVE AI on June 5, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later.
  • Reset all content settings to their default state via Settings → Privacy and security → Site settings → Reset all to default.
  • If your organization uses Chrome enterprise policies, enforce content‑settings policies through group policy or the Chrome Admin console to lock these settings and prevent local overrides.

Generated by OpenCVE AI on June 5, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Content Settings Policy Enforcement Bypass via Crafted HTML Page in Google Chrome
Weaknesses CWE-284

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Content Settings in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:05.063Z

Reserved: 2026-06-04T17:11:05.166Z

Link: CVE-2026-11252

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:01.733

Modified: 2026-06-05T00:17:01.733

Link: CVE-2026-11252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:14Z

Weaknesses