Description
Inappropriate implementation in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability originates from an inappropriate implementation within the Autofill component of Google Chrome on Android. A remote attacker who has already compromised the browser's renderer process can exploit this flaw to leak cross‑origin data through a specially crafted HTML page. The flaw allows an attacker to obtain sensitive information belonging to different origins, resulting in a potential information disclosure incident. The weakness is classified as CWE‑200: Information Exposure.

Affected Systems

Affected systems are devices running Google Chrome for Android versions earlier than 150.0.7871.47. The grant of browser version numbers applies to the stable channel and all its predecessor releases. Users of any Android hardware or operating system that ships Chrome at these versions are at risk, as the flaw is present across all affected builds.

Risk and Exploitability

The CVSS-based severity for this issue is High, reflecting the potential for data leakage. Although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the requirement for a compromised renderer process lowers the likelihood of exploitation in the wild. Nonetheless, should an attacker gain such privileges – for example through another browser or system vulnerability – they could readily trigger the data leak. The attack vector is an application-level flaw that relies on privileged renderer access rather than a network or remote code execution path.

Generated by OpenCVE AI on July 1, 2026 at 00:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome for Android (150.0.7871.47 or newer) to eliminate the Autocomplete data leakage bug
  • If Chrome must remain on an older version, disable the Autofill feature to prevent cross‑origin data exposure
  • Enforce strict sandboxing and least‑privilege settings for the renderer process to reduce the chance of successful compromise

Generated by OpenCVE AI on July 1, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Autofill in Google Chrome on Android
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:47.466Z

Reserved: 2026-06-29T23:03:27.222Z

Link: CVE-2026-13826

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:45:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor