Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Chrome’s handling of password prompts allows a remote adversary to extract cross‑origin user data when a victim engages in specific UI gestures on a malicious web page. The vulnerability stems from inadequate isolation of password‑related dialogs, enabling the attacker to read sensitive information that should remain hidden to the page’s origin. Consequently, confidentiality of user credentials or other entered data is at risk.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 on all supported operating systems (Windows, macOS, Linux, Android, iOS) are affected.

Risk and Exploitability

Exploitation requires a victim to browse a crafted site and intentionally interact with the password UI, conditions that are typically achieved through social engineering or phishing. The Chromium security team rated the issue as Low; no CVSS score is publicly available, and the EPSS score is not reported. The vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation. Still, the potential for confidential data leakage warrants proactive mitigation.

Generated by OpenCVE AI on June 5, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to the latest stable release (149.0.7827.53 or newer).
  • If an immediate upgrade is not possible, disable the auto‑save password feature and avoid interacting with password prompts from untrusted sites.
  • Educate users to be cautious of phishing attempts that target the password entry flow and to verify the legitimacy of the site before entering credentials.

Generated by OpenCVE AI on June 5, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Password UI Gestures in Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:12.679Z

Reserved: 2026-06-04T17:11:11.086Z

Link: CVE-2026-11271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.137

Modified: 2026-06-05T00:17:04.137

Link: CVE-2026-11271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses