Description
Insufficient policy enforcement in Content Settings in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome prior to version 149.0.7827.53 did not correctly enforce policy rules for Content Settings, allowing a remote attacker to craft a malicious HTML page that could bypass normal discretionary access controls. The flaw is an Improper Authorization (CWE-284) and a lack of proper permissions enforcement (CWE-280). The consequence is that a user visiting the malicious page could alter Chrome’s content settings, potentially enabling further malicious actions such as tracking, cookie injection, or HTTPS overrides. The attacker thereby gains unauthorized configuration privileges that could facilitate subsequent attacks.

Affected Systems

Google Chrome browsers running any platform version earlier than 149.0.7827.53 are affected. The issue arises from shared policy enforcement code and impacts all operating systems supported by Chrome.

Risk and Exploitability

The EPSS score of 0.0002 (< 1%) and the fact that it is not listed in the CISA KEV catalog suggest no known widespread exploitation. The CVSS score of 4.3 indicates a low severity rating. The vulnerability is exploitable through a remote attack vector: a victim must open a crafted web page in Chrome. No privileged escalation is required; any user who loads the page can trigger the bypass. While the impact is limited to policy configuration, an adversary could chain this to more damaging actions, so the risk is moderate in environments where sensitive content settings are critical.

Generated by OpenCVE AI on June 7, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later.
  • Reset all content settings to their default state via Settings → Privacy and security → Site settings → Reset all to default.
  • If your organization uses Chrome enterprise policies, enforce content‑settings policies through group policy or the Chrome Admin console to lock these settings and prevent local overrides.

Generated by OpenCVE AI on June 7, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Policy bypass in Content Settings
Weaknesses CWE-280
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Title Content Settings Policy Enforcement Bypass via Crafted HTML Page in Google Chrome

Fri, 05 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Content Settings Policy Enforcement Bypass via Crafted HTML Page in Google Chrome
Weaknesses CWE-284

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Content Settings in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T11:14:32.271Z

Reserved: 2026-06-04T17:11:05.166Z

Link: CVE-2026-11252

cve-icon Vulnrichment

Updated: 2026-06-05T11:13:25.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:01.733

Modified: 2026-06-05T15:27:29.233

Link: CVE-2026-11252

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11252 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:30:04Z

Weaknesses
  • CWE-280

    Improper Handling of Insufficient Permissions or Privileges

  • CWE-284

    Improper Access Control