Description
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Chrome extensions permits a maliciously crafted extension to disable the browser’s content security policy, thereby allowing arbitrary script execution and data exfiltration. The flaw arises when an attacker convinces a user to install an extension, after which the extension can perform privileged actions normally protected by CSP. This weakness directly undermines the integrity and confidentiality guarantees normally supplied by the browser and can be used for phishing, credential theft, or installation of additional malware.

Affected Systems

Google Chrome, any version older than 149.0.7827.53, is affected. The vulnerability is present in the stable channel of all operating systems that run Chrome up to this version.

Risk and Exploitability

The flaw is considered low in Chromium severity but can be actively exploited once a user installs the malicious extension. Because the attack requires user interaction, the attacker’s access vector is user‑constrained. The exploit probability is not quantified (EPSS unavailable) and the vulnerability is not listed in CISA KEV. Nonetheless, any organization using Chrome on end‑users should treat it as a risk if no patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later to receive the fixed policy enforcement
  • Disable or remove any suspicious or untrusted extensions and restrict user‑installed extensions via enterprise policy
  • Enforce strict extension source policies, allowing only extensions from the Chrome Web Store or approved vendors

Generated by OpenCVE AI on June 5, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Extension Policy Bypass via Malicious Chrome Extension
Weaknesses CWE-264
CWE-284

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:11.164Z

Reserved: 2026-06-04T17:11:09.948Z

Link: CVE-2026-11267

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:03.637

Modified: 2026-06-05T00:17:03.637

Link: CVE-2026-11267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:00:06Z

Weaknesses