Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate handling of password data in Google Chrome allowed a remote attacker who had already compromised the renderer process to bypass site isolation using a crafted HTML page. The flaw enables the attacker to break out of the renderer sandbox, access privileged browser processes, and potentially read or manipulate user credentials and other sensitive data that would normally be protected by site isolation. The vulnerability is classified as high severity by Chromium security.

Affected Systems

Google Chrome browsers prior to version 149.0.7827.197 are affected. Any deployment running an earlier stable version of the Chrome browser is vulnerable until updated to the specified release or later.

Risk and Exploitability

The CVSS score is not provided in the public data, but the vulnerability is listed as high severity. EPSS is not available, and the issue is not currently listed in CISA KEV. The likely attack vector is a malicious or compromised webpage accessed by an unsuspecting user; the attacker must first achieve code execution in the renderer process, after which the site isolation bypass can be triggered. Given the lack of publicly disclosed exploit tools and the requirement for a compromised renderer, the exploitation likelihood is moderate to high for active attackers with advanced capabilities. The potential impact includes unauthorized access to stored passwords, session data, and other sensitive information that could lead to credential theft, account takeover, or broader system compromise.

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later and ensure the browser is running the stable channel
  • After installing the update, restart all Chrome processes to apply the changes
  • If an update cannot be performed immediately, disable automatic password saving and clear any stored passwords, and consider using a separate user profile or incognito mode to isolate browsing sessions
  • Verify that site isolation is enabled by checking chrome://flags and ensuring “Force Site Isolation” is set to Enabled

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass via Crafted HTML Page in Chrome Passwords
Weaknesses CWE-200
CWE-295

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:28:08.757Z

Reserved: 2026-06-23T17:14:12.011Z

Link: CVE-2026-13034

cve-icon Vulnrichment

Updated: 2026-06-24T19:27:16.390Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-295

    Improper Certificate Validation

  • CWE-346

    Origin Validation Error