Description
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Android Autofill component in Google Chrome improperly enforces same‑origin policy, allowing a crafted web page to access data from another origin. This flaw can lead to unintended information disclosure if a malicious page is loaded in the victim’s browser, potentially exposing credentials, personal data, or other sensitive autofill entries, without requiring any local privileges. The weakness manifests as a policy enforcement bypass rather than code injection, categorised by the CWE‑200 class of information exposure vulnerabilities.

Affected Systems

Google Chrome for Android versions prior to 149.0.7827.53. The vulnerability is fixed in the 149.0.7827.53 release family and later. Devices running these older Chrome builds on Android are susceptible.

Risk and Exploitability

The CVSS score is not publicly disclosed, and EPSS data is unavailable, so the baseline risk remains uncertain. No recognition in the CISA KEV catalog indicates no publicly known exploits yet, but the attack vector is a remote crafted HTML page delivered via the browser, implying an external attacker could exploit the flaw if a user visits a malicious site. Until a patch is applied, users remain at risk of cross‑origin data leakage.

Generated by OpenCVE AI on June 5, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later, which contains a fix for the Autofill same‑origin policy bug.
  • Restart the device to ensure the updated service loads correctly and to clear any stale autofill cache entries.
  • If an update is not immediately possible, temporarily disable the Android Autofill service in Chrome settings or through device policy to mitigate the risk.

Generated by OpenCVE AI on June 5, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Android Autofill Same‑Origin Policy Bypass in Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:21.005Z

Reserved: 2026-06-04T17:11:17.285Z

Link: CVE-2026-11291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:06.727

Modified: 2026-06-05T00:17:06.727

Link: CVE-2026-11291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:30:25Z

Weaknesses