Description
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient enforcement of the Passwords policy in Google Chrome versions prior to 150.0.7871.47. A remote attacker can create a crafted HTML page that, when loaded in the browser, bypasses the normal same‑origin restrictions and leaks password data stored locally. Based on the description, the attack vector is likely a malicious web page that the victim visits, and the impact is the exposure of protected credentials and other data that should be confined to the originating origin.

Affected Systems

The flaw affects the Google Chrome browser and applies to any release earlier than version 150.0.7871.47. All users running an outdated Chrome build are potentially vulnerable until they upgrade to the patched version.

Risk and Exploitability

The issue is rated a low severity by Chromium. No EPSS score is available, so the historical likelihood of exploitation remains unclear, but the lack of a KEV listing suggests no confirmed, widespread exploitation in the wild. The risk is primarily confined to browsers that have not applied the security update; once upgraded, the flaw is mitigated. The cross‑origin data leak could still be valuable to an actor who can entice users to visit a malicious site, but the attack requires no additional privileged context beyond a standard web page load.

Generated by OpenCVE AI on July 1, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or later to apply the fix for the password policy enforcement flaw
  • If an immediate upgrade is not possible, disable Chrome’s password saving and autofill feature in the browser settings or via administrative policy so that stored passwords are not exposed through cross‑origin pages
  • Verify that any enterprise or group policy controlling password handling enforces the same‑origin restriction and update the policy configuration to reflect the recent Chrome patch

Generated by OpenCVE AI on July 1, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leakage via Improper Passwords Policy Enforcement in Google Chrome
Weaknesses CWE-200
CWE-285

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:09.138Z

Reserved: 2026-06-29T23:11:32.014Z

Link: CVE-2026-14050

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:15:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-285

    Improper Authorization