Description
Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Unauthorized PWA Installation
Action: Immediate Patch
AI Analysis

Impact

Insufficient enforcement of policy within the progressive web app subsystem of Google Chrome allows an attacker who has already compromised the renderer process to bypass user confirmation and install a progressive web app through a crafted HTML page. The installed app can then run with the privileges of the user’s profile, enabling disclosure or modification of local data and potentially acting as a vector for further exploitation. The weakness is a form of improper access control, identified as CWE‑284.

Affected Systems

All desktop installations of Google Chrome older than version 147.0.7727.55 are affected. This includes Windows, macOS, and Linux builds of the stable channel. The vendor’s update notes confirm that the patch applies universally across these platforms.

Risk and Exploitability

Chromium classifies the vulnerability as medium severity. Exploitation requires the attacker to first compromise the renderer process, typically through a separate web‑based exploit that gains sufficient access. Until the browser is updated, the likelihood of successful exploitation remains low, but the impact, if achieved, could be significant for the compromised user. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS score is available.

Generated by OpenCVE AI on April 8, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer
  • Verify the update by navigating to chrome://settings/help
  • If an update cannot be applied immediately, enforce an enterprise policy that blocks PWA installation until the fix is installed
  • Stay informed by monitoring Chrome release notes for future security patches

Generated by OpenCVE AI on April 8, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Enables Unauthorized PWA Installation
First Time appeared Google
Google chrome
Weaknesses CWE-284
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:54.153Z

Reserved: 2026-04-08T19:34:40.655Z

Link: CVE-2026-5892

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:29.083

Modified: 2026-04-08T22:16:29.083

Link: CVE-2026-5892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:26Z

Weaknesses