Description
Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in the WebXR module of Google Chrome for Android versions earlier than 150.0.7871.47. An attacker can craft a malicious HTML page that causes the browser to ignore its normal navigation restrictions, allowing an unsolicited redirect to a site of the attacker’s choice. The vulnerability does not grant code execution or privilege escalation but facilitates phishing or other social‑engineering attacks by taking control over the user’s navigation flow.

Affected Systems

All Android users who have Chrome installed at a version older than 150.0.7871.47 are affected. This includes every device that has not yet applied the incremental security update released on 17 June 2026.

Risk and Exploitability

The vulnerability is rated low by Chromium’s internal severity, and it is not listed in the CISA KEV catalog. No EPSS score is available. The attack vector is remote: any web page can trigger the bypass when viewed with the affected browser. Although exploitation is straightforward, the impact is limited to unwanted navigation and possible phishing; an attacker cannot gain local privileges or execute arbitrary code. The risk remains low but the ability to redirect users is valuable for attackers aiming to conceal malicious payloads.

Generated by OpenCVE AI on July 1, 2026 at 05:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on Android to version 150.0.7871.47 or newer.
  • Disable the WebXR feature in Chrome via an enterprise policy or by launching Chrome with the “--disable-features=WebXR” flag if operating in a managed environment.
  • Remain cautious of unfamiliar or untrusted websites that might host malicious WebXR content; using Chrome’s Safe Browsing and blocking untrusted origins can reduce exposure.

Generated by OpenCVE AI on July 1, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title WebXR Navigation Restriction Bypass in Google Chrome for Android
Weaknesses CWE-601

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:03.373Z

Reserved: 2026-06-29T23:11:28.564Z

Link: CVE-2026-14034

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:15:04Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')