Description
Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized PWA installation without user consent
Action: Apply Patch
AI Analysis

Impact

A vulnerability in Chrome’s handling of progressive web apps allows a remote attacker, who has already compromised the renderer process, to craft an HTML page that installs a PWA without prompting the user. The attacker can therefore add a malicious application to the user’s system, potentially used as a front for phishing, credential harvesting, or other malicious activity, without the user’s knowledge or approval.

Affected Systems

Google Chrome installations older than version 147.0.7727.55 on any operating system are affected. Users of the stable desktop channel update that preceded the fix are at risk.

Risk and Exploitability

The CVSS score of 6.6 indicates medium severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires control over the renderer process, which arise from other memory corruption or cross‑site scripting issues; thus the attack vector is inferred to be an already compromised renderer rather than a direct remote user attack.

Generated by OpenCVE AI on April 14, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later; enable automatic updates to receive this and future patches promptly
  • Verify that no unfamiliar PWAs have been added to the desktop or start menu; if found, uninstall the PWA and review browser history for suspicious activity

Generated by OpenCVE AI on April 14, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1268
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Enables Unauthorized PWA Installation chromium-browser: Insufficient policy enforcement in PWAs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Enables Unauthorized PWA Installation
First Time appeared Google
Google chrome
Weaknesses CWE-284
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-14T13:51:34.286Z

Reserved: 2026-04-08T19:34:40.655Z

Link: CVE-2026-5892

cve-icon Vulnrichment

Updated: 2026-04-14T13:51:28.783Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:29.083

Modified: 2026-04-14T17:06:16.100

Link: CVE-2026-5892

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5892 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses