Description
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation of the FedCM feature in Google Chrome allows a remote attacker to bypass the web browser's same‑origin policy using a crafted HTML page. This flaw enables the attacker to read or modify data that would normally be restricted to a particular origin, thereby violating the confidentiality and integrity guarantees typically provided by the browser sandbox. The vulnerability is classified with low severity by Chromium security, indicating that while the attack is possible, it does not immediately lead to code execution or denial of service.

Affected Systems

Google Chrome versions earlier than 150.0.7871.47 are affected. The flaw exists in the FedCM implementation shipped with these releases and has been addressed in the 150.0.7871.47 update and later.

Risk and Exploitability

The exploitability of this vulnerability is low. No exploit has been reported and the EPSS score is not available, implying a minimal chance of real‑world attacks. It is not listed in the CISA KEV catalog. Because the flaw only permits same‑origin policy circumvention, an attacker would need to supply a specially crafted page to the target system, suggesting that the attack vector is a client‑side drive‑by scenario rather than a network‑level attack. Overall risk remains low, but patching is recommended to eliminate the possibility of future exploitation.

Generated by OpenCVE AI on July 1, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later to contain the FedCM fix.
  • If an immediate update is not possible, disable the FedCM feature via Chrome policy settings or via the chrome://flags interface to prevent the flaw from being exercised.
  • Use Chrome’s enterprise security settings to enforce same‑origin policy restrictions and prevent third‑party scripts from accessing protected resources.

Generated by OpenCVE AI on July 1, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title FedCM Same-Origin Policy Bypass in Chrome
Weaknesses CWE-295

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:11.650Z

Reserved: 2026-06-29T23:11:33.495Z

Link: CVE-2026-14057

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses
  • CWE-295

    Improper Certificate Validation