Description
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient enforcement of extension policy in Google Chrome versions prior to 150.0.7871.47 gives a remote attacker, who has already compromised the renderer process, the ability to craft an HTML page that can read cross‑origin data. The flaw effectively allows an extension to bypass its intended access controls and leak sensitive information to the attacker. The weakness is a form of improper access control, as the renderer’s policy checks are not correctly applied to extensions.

Affected Systems

The vulnerability affects the Google Chrome browser on all platforms for any installation older than version 150.0.7871.47. Any user running a pre‑patch build is susceptible until a newer release is installed.

Risk and Exploitability

Exploitation requires a prior compromise of the renderer process, which is a non‑trivial prerequisite. The EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation. Nonetheless, once the renderer is compromised the attacker can read any cross‑origin data presented to the extension, posing a confidentiality risk. Chromium classifies the severity as low, suggesting that attacks would likely be targeted rather than mass‑scale.

Generated by OpenCVE AI on July 1, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later
  • Disable or uninstall extensions that request cross‑origin access or are not from the official Chrome Web Store
  • Enforce enterprise policies to block untrusted extensions and limit host permissions

Generated by OpenCVE AI on July 1, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Unrestricted Extension Access Cross-Origin Data Leakage via Unrestricted Extension Access

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Unrestricted Extension Access
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:10.213Z

Reserved: 2026-06-29T23:11:32.713Z

Link: CVE-2026-14053

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:15:04Z

Weaknesses