Description
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Chrome’s DeviceBoundSessionCredentials handling in versions prior to 149.0.7827.197 permits a remote attacker to craft an HTML page that bypasses the browser’s same‑origin policy. The weakness lies in insufficient origin isolation and is marked as CWE‑346. This can enable the attacker to read or modify data that should be confined to a single origin, including sensitive information such as cookies and local storage, thereby compromising user confidentiality and integrity.

Affected Systems

Users operating Google Chrome before the 149.0.7827.197 release are affected. The issue appears in the stable channel and was addressed in the update published in June 2026.

Risk and Exploitability

Chromium rates the vulnerability as High, but the CVSS score is 4.3, denoting moderate risk. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been exploited in the wild. The likely attack vector is a remote attacker hosting a malicious webpage; a victim visiting that page triggers the exploit without any local code execution or elevated privileges.

Generated by OpenCVE AI on June 24, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to 149.0.7827.197 or newer.
  • If an upgrade is not immediately feasible, block access to sites suspected of hosting malicious content through network filtering or safe‑browse controls.
  • Deploy a browser extension that enforces stricter same‑origin checks to mitigate the risk.

Generated by OpenCVE AI on June 24, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Same‑Origin Policy Bypass via DeviceBoundSessionCredentials in Google Chrome

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via DeviceBoundSessionCredentials in Chrome
Weaknesses CWE-20
CWE-613

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via DeviceBoundSessionCredentials in Chrome
Weaknesses CWE-20
CWE-613

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:27:44.583Z

Reserved: 2026-06-23T17:14:07.554Z

Link: CVE-2026-13021

cve-icon Vulnrichment

Updated: 2026-06-24T19:26:52.038Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:30:16Z

Weaknesses