CVE-2026-1504 - Vulnerability Details

- chromium-browser: Inappropriate implementation in Background Fetch API

Description

Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Published: 2026-01-27

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Background Fetch API implementation in Google Chrome up to version 144.0.7559.110 contains an oversight that permits a remote attacker to retrieve data from origins different from the one that served the malicious page. An attacker can craft an HTML page that initiates a background fetch request to a target domain. Due to improper origin checks, Chrome returns the response payload to the malicious page, leaking cross‑origin information. This flaw is a CWE-200 exposure of sensitive information to an unauthorized actor and also can be considered a CWE-284 improper access control issue.

Affected Systems

Affected are all Google Chrome releases before 144.0.7559.110. The vulnerability exists in Desktop Chrome for Windows, macOS, and Linux in the stable channel and has been reported in Chromium's issue tracker under 474435504. Any user who opens a malicious web page while using one of those affected Chrome versions is susceptible.

Risk and Exploitability

The CVSS score is 6.5, classifying the issue as high severity from Chrome's perspective, but the EPSS score is below 1%, indicating a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack requires a user to visit a crafted web page in Chrome; no additional privileged access or network connections are needed. Once the attack vector is activated, data from the target origin is returned to the malicious page, allowing an attacker to exfiltrate sensitive information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`144.0.7559.110`	affected	< 144.0.7559.110

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Google	Chrome	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 144.0.7559.110 or later.
If updating is unavailable, disable the Background Fetch API via Chrome's enterprise policy by setting BackgroundFetchAllowed to false or BackgroundSyncEnabled to false.
For organizations, block access to known malicious URLs and monitor browser logs for background fetch events to detect potential abuse.

Generated by OpenCVE AI on April 18, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6116-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html
https://issues.chromium.org/issues/474435504
https://nvd.nist.gov/vuln/detail/CVE-2026-1504
https://www.cve.org/CVERecord?id=CVE-2026-1504

History

Sat, 18 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-284

Fri, 06 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:google:chrome::::::::

Mon, 02 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Inappropriate implementation in Background Fetch API
References		https://nvd.nist.gov/vuln/detail/CVE-2026-1504 https://www.cve.org/CVERecord?id=CVE-2026-1504
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 28 Jan 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Tue, 27 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html https://issues.chromium.org/issues/474435504

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-01-27T20:46:35.796Z

Updated: 2026-01-27T21:16:21.039Z

Reserved: 2026-01-27T20:08:27.853Z

Link: CVE-2026-1504

Vulnrichment

Updated: 2026-01-27T21:14:54.925Z

NVD

Status : Analyzed

Published: 2026-01-27T21:16:00.480

Modified: 2026-02-06T17:45:56.510

Link: CVE-2026-1504

Redhat

Severity : Important

Publid Date: 2026-01-27T00:00:00Z

Links: CVE-2026-1504 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object