Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Cookie manipulation via enterprise host restriction bypass
Action: Update Chrome
AI Analysis

Impact

Insufficient policy enforcement in Chrome DevTools allows a malicious extension to modify cookies on domains that are normally restricted by enterprise policies. The vulnerability is described as a flaw that enables an attacker who convinces a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension.

Affected Systems

The flaw affects all Chrome stable channel releases prior to 147.0.7727.55 on desktop platforms, including Windows, macOS, and Linux. Patches are available in the latest stable update and are noted in the Google Chrome release blog.

Risk and Exploitability

The severity is classified as low by Chromium. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must first persuade a user to install a malicious extension, after which the compromised cookies can be written, deleted, or changed. The risk level is moderate as it requires social engineering and targeted extension installation, but the impact of cookie tampering can potentially influence session state and related data.

Generated by OpenCVE AI on April 8, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 147.0.7727.55 or later
  • Enforce strict extension installation policies and restrict unverified extensions

Generated by OpenCVE AI on April 8, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Enforcement Failure Enabling Cookie Modification Through Malicious Extension
First Time appeared Google
Google chrome
Weaknesses CWE-284
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:59.391Z

Reserved: 2026-04-08T19:34:43.144Z

Link: CVE-2026-5901

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:29.983

Modified: 2026-04-08T22:16:29.983

Link: CVE-2026-5901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:17Z

Weaknesses