Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-11
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted HTML page enables a remote attacker to bypass the same‑origin policy within Chrome DevTools. This flaw, present in all Chrome releases prior to 149.0.7827.115, allows an attacker to read or manipulate data from privileged origins, potentially leading to theft of sensitive information, unauthorized actions, or further exploitation. The weakness is rooted in insufficient policy enforcement inside DevTools, a security control intended to prevent cross‑origin access.

Affected Systems

All users of Google Chrome browsers on the stable channel prior to version 149.0.7827.115 are affected. Any installation that has not applied the latest update contains the vulnerability.

Risk and Exploitability

The vulnerability is classified as high severity by Chromium. Although an EPSS score is not available, the absence of a CISA KEV listing suggests it has not been publicly exploited yet, yet the remote nature of the exploit and the impact warrant caution. The likely attack vector is a user visiting a maliciously crafted web page that instructs the browser to use DevTools features. No pre‑conditions beyond the browser are required, making this a straightforward remote exploitation scenario.

Generated by OpenCVE AI on June 11, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.115 or later to apply the official fix
  • Disable or restrict access to DevTools for users via enterprise Chrome policies if immediate update is not possible
  • Monitor and block malicious HTML content that attempts to exploit the DevTools policy bypass while awaiting the patch

Generated by OpenCVE AI on June 11, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Remote Same‑Origin Policy Bypass via CSRF in Chrome DevTools
Weaknesses CWE-640
CWE-795

Thu, 11 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-11T20:48:10.795Z

Reserved: 2026-06-11T18:16:06.711Z

Link: CVE-2026-12024

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:54.930

Modified: 2026-06-11T22:16:54.930

Link: CVE-2026-12024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:45:05Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password

  • CWE-795

    Only Filtering Special Elements at a Specified Location