Description
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Policy Bypass Leading to Local Network Access
Action: Immediate Patch
AI Analysis

Impact

Google Chrome versions prior to 147.0.7727.55 contain a policy bypass that allows a remote attacker to craft an HTML page that circumvents the LocalNetworkAccess navigation restriction. The weakness is characterized by unauthorized access to restricted network resources (CWE‑284) and potentially exploitable cross‑site scripting (CWE‑79). If successfully exploited, the attacker could reach resources on the user’s local network that should be hidden from web content, compromising confidentiality and potentially integrity.

Affected Systems

The vulnerability affects Google Chrome running on Windows, macOS, and Linux. Vendors should look for systems holding Chrome versions earlier than 147.0.7727.55, as these are the platforms that lack the latest policy enforcement for LocalNetworkAccess.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity, while the EPSS score is below 1 %, implying a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a remote web page that a user opens in Chrome; the attacker can embed the crafted HTML in a phishing or malicious site, leveraging the browser’s privilege to bypass local network restrictions.

Generated by OpenCVE AI on April 14, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or newer.
  • Verify the installation of the latest Chrome update on all affected systems.
  • If an immediate update is not possible, restrict local network resource access through Chrome enterprise policies or equivalent firewall rules.
  • Monitor network traffic for anomalous local‑network activity originating from browsers and investigate any suspicious instances.

Generated by OpenCVE AI on April 14, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Policy Bypass Enables Unauthorized Local Network Access in Chrome chromium-browser: Policy bypass in LocalNetworkAccess
Weaknesses CWE-79
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Policy Bypass Enables Unauthorized Local Network Access in Chrome
First Time appeared Google
Google chrome
Weaknesses CWE-284
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T18:19:00.316Z

Reserved: 2026-04-08T19:34:37.730Z

Link: CVE-2026-5881

cve-icon Vulnrichment

Updated: 2026-04-13T17:56:12.880Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:27.753

Modified: 2026-04-14T20:01:36.043

Link: CVE-2026-5881

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5881 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses