Description
Insufficient policy enforcement in FileSystem in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Chrome’s FileSystem API allows a remote attacker to bypass the browser’s discretionary access control by loading a specially crafted HTML page. This flaw permits the attacker to read or write files not explicitly granted by the user, potentially leading to data leakage or modification. The weakness is an improper access control issue (CWE‑284).

Affected Systems

Google Chrome, any installation running a version earlier than 150.0.7871.47. The vulnerability was present in all Chrome builds before that patch release.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS metric is unavailable; the flaw is not listed in the CISA KEV catalog. The description rates it as low Chromium severity, indicating a modest overall risk. The attack vector is a crafted HTML served over the network, so an attacker must get a user to open or view the malicious page. Once the page is loaded, the attacker can read or modify files that normally fall under Chrome’s sandbox protections.

Generated by OpenCVE AI on July 1, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or newer, ensuring the browser applies the latest security fixes.
  • Verify that Chrome’s automatic update mechanism is enabled so future patches are installed automatically.
  • Avoid browsing untrusted or malicious websites; as a temporary measure, consider disabling the FileSystem API via browser flags if you must work with environments that expose the API to potentially unsafe content.

Generated by OpenCVE AI on July 1, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title Chrome File System Policy Bypass Allowing Access Control Escalation
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in FileSystem in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:09.845Z

Reserved: 2026-06-29T23:11:32.440Z

Link: CVE-2026-14052

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:15:07Z

Weaknesses