Description
Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Chrome's StorageAccessAPI allowed an attacker who had already compromised the renderer process to bypass the same‑origin policy by loading a crafted HTML page. This flaw permits the attacker to access resources that are normally restricted same browser context, potentially leading to cross‑origin data leakage or unauthorized manipulation of web content. The impact is limited to situations where the renderer has been compromised; execution or privileges beyond the renderer process. The vulnerability is classified as CWE-284 (Improper Access Control).

Affected Systems

Google Chrome versions prior to 150.0.7871.47 are affected. The issue was addressed in the 150.0.7871.47 release and later. While only Chrome is listed as a vendor, any systems running those vulnerable versions are at risk.

Risk and Exploitability

The exploitation requires first compromising the renderer process, which typically involves a separate vulnerability or a compromised webpage. Once the attacker achieves this, they can craft a malicious page to exploit the StorageAccessAPI flaw, bypassing same‑origin restrictions. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of 0.0018 reflects a very low perceived exploitation likelihood. The vulnerability is not listed in CISA KEV, suggesting no widespread exploitation has been observed. Nevertheless, any environment where Chrome is exposed to potentially malicious content should apply the patch promptly to avoid the risk of cross‑origin data access in the event of a renderer compromise.

Generated by OpenCVE AI on July 1, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 150.0.7871.47 or later to apply the StorageAccessAPI policy enforcement fix.
  • Verify that the browser is installed with the latest security update channels and configure automatic updates to avoid running vulnerable versions.
  • Configure site isolation or enforce storage access controls if your organization uses scripts that manipulate the StorageAccessAPI, and consider disabling the API for untrusted pages.

Generated by OpenCVE AI on July 1, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
Title StorageAccessAPI Same‑Origin Policy Bypass via Compromised Renderer
Weaknesses CWE-285

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Title StorageAccessAPI Same‑Origin Policy Bypass via Compromised Renderer
Weaknesses CWE-285

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass in StorageAccessAPI via Compromised Renderer
Weaknesses CWE-264
CWE-285

Wed, 01 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass in StorageAccessAPI via Compromised Renderer
Weaknesses CWE-264
CWE-285

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T13:53:48.232Z

Reserved: 2026-06-29T23:11:53.053Z

Link: CVE-2026-14156

cve-icon Vulnrichment

Updated: 2026-07-01T13:51:48.816Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T20:00:06Z

Weaknesses