Description
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the implementation of DeviceBoundSessionCredentials in Google Chrome releases before 149.0.7827.197 allows a remote attacker to craft an HTML page that can bypass the browser’s same‑origin security boundary. This vulnerability enables the attacker to read or modify data that should be confined to a single origin, potentially exposing sensitive user data, session cookies, or other credentials. The nature of the weakness is a failure to enforce origin isolation, which is the basis of web confidentiality and integrity. Based on the description, the impact is a cross‑origin data leak or manipulation by the malicious page, affecting any user who visits the crafted content.

Affected Systems

All users running Google Chrome prior to version 149.0.7827.197 are affected. The issue applies to the stable channel and is mitigated in later releases, including the new build referenced in the Google release notes.

Risk and Exploitability

Chromium labels the severity as High. There is no EPSS score available, and the vulnerability is not listed in CISA KEV, indicating it has not yet been observed in the wild, but the inherent risk is significant because a same‑origin policy bypass can deliver arbitrary cross‑site data access. The likely attack vector is a remote attacker hosting a malicious web page that a victim visits; no local setup or user‑initiated code execution is required.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to the latest stable release (149.0.7827.197 or newer).
  • If an upgrade is temporarily infeasible, disable reliance on DeviceBoundSessionCredentials or use browser extensions that enforce stricter same‑origin checks.
  • Audit and restrict user access to potentially malicious sites, and monitor for unauthorized cross‑origin requests in browser logs.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via DeviceBoundSessionCredentials in Chrome
Weaknesses CWE-20
CWE-613

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:27:44.583Z

Reserved: 2026-06-23T17:14:07.554Z

Link: CVE-2026-13021

cve-icon Vulnrichment

Updated: 2026-06-24T19:26:52.038Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-346

    Origin Validation Error

  • CWE-613

    Insufficient Session Expiration