Description
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from an inappropriate implementation of the Permissions API in Google Chrome, which enables a remote attacker to access or leak data from a different origin via a specially crafted HTML page. This leads to the disclosure of confidential information that should have been protected by the browser’s same‑origin policy. The weakness aligns with CWE‑362, incorrect synchronization, suggesting a race condition that can be exploited to bypass policy enforcement.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. Users running those builds are susceptible to the data leakage unless the browser is upgraded.

Risk and Exploitability

The vulnerability carries a low Chromium security severity rating and no EPSS score is available. It is not listed in the CISA KEV catalog. The attack likely requires the victim to visit a malicious web page that contains crafted HTML and the Permissions API; the exploit is remote and does not require local privileges. Because of the low severity and lack of public exploit evidence, the overall risk remains moderate, but any exposure of cross‑origin data can be consequential in sensitive contexts.

Generated by OpenCVE AI on June 5, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • If an immediate update is not possible, consider disabling the Permissions API for cross‑origin requests via chrome://flags or via a managed policy until the patch is applied.
  • Configure your organization to enforce automatic updates of Google Chrome to ensure the vulnerability is fixed in future releases.

Generated by OpenCVE AI on June 5, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Permissions Misimplementation
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-362
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:05.422Z

Reserved: 2026-06-04T17:11:05.490Z

Link: CVE-2026-11253

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:01.847

Modified: 2026-06-05T00:17:01.847

Link: CVE-2026-11253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:30:07Z

Weaknesses