Description
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Local Network Access
Action: Patch Chrome
AI Analysis

Impact

The vulnerability is a policy bypass in the LocalNetworkAccess feature of Google Chrome, which can be triggered by a crafted HTML page. It allows a remote attacker to circumvent navigation restrictions and access local network resources that are normally blocked. This leads to potential confidentiality breaches and could also serve as a foothold for further compromise. The weakness is a form of improper access control (CWE‑284).

Affected Systems

Affected systems are installations of Google Chrome running versions earlier than 147.0.7727.55. The current Chrome stable channel update, version 147.0.7727.55, includes the fix. Users on older releases or custom builds not yet updated are therefore susceptible.

Risk and Exploitability

The vulnerability has a Medium severity score. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. The exploitation pathway typically involves a malicious web page that a user visits, after which Chrome automatically attempts to access local network destinations that are normally restricted. Because the attack requires the user to open the crafted page, the risk depends on user behavior, but the potential impact of local network data exposure makes it a concern for environments with sensitive internal resources.

Generated by OpenCVE AI on April 8, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or later.
  • Verify that the Chrome update has been applied on all systems.
  • If managing Chrome via enterprise policy, ensure LocalNetworkAccess restrictions are enforced until the patch is in place.
  • Monitor user reporting of unexpected navigation or local network access.

Generated by OpenCVE AI on April 8, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Policy Bypass Enables Unauthorized Local Network Access in Chrome chromium-browser: Policy bypass in LocalNetworkAccess
Weaknesses CWE-79
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Policy Bypass Enables Unauthorized Local Network Access in Chrome
First Time appeared Google
Google chrome
Weaknesses CWE-284
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:49.608Z

Reserved: 2026-04-08T19:34:37.730Z

Link: CVE-2026-5881

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:27.753

Modified: 2026-04-08T22:16:27.753

Link: CVE-2026-5881

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5881 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:45Z

Weaknesses