Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient policy enforcement in Chrome DevTools allows a malicious extension, once installed by a user, to access and leak cross-origin data. The flaw is limited to the browser environment and enables a capable attacker to read data that should be isolated by same-origin policy, compromising confidentiality. The vulnerability is rated low severity by Chromium, indicating limited exploitation vectors and impact scope once the malicious extension is trusted by the user. This flaw corresponds to CWE‑693, a security misconfiguration where a system fails to enforce secure policies.

Affected Systems

Google Chrome browsers earlier than version 148.0.7778.96 are affected. Users of these versions should be aware that installing third‑party extensions poses a risk of cross‑origin data leakage.

Risk and Exploitability

The vulnerability has a low CVSS score and no EPSS data, and it is not listed in the CISA KEV catalog, suggesting a limited exploit likelihood at present. However, the attack requires a user to install a malicious extension, giving the extension permission to read data across origins. Because the flaw resides in DevTools policy enforcement, an attacker can craft a specifically designed extension to leverage this weakness, but broad automated exploitation is unlikely.

Generated by OpenCVE AI on May 7, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later to fix the DevTools policy enforcement flaw
  • Restrict or disable third‑party extension installation in Chrome by setting the "ExtensionsAllowed" policy to false for untrusted users
  • Monitor installed extensions for unexpected origin access permissions and audit their source scripts for cross‑origin requests

Generated by OpenCVE AI on May 7, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 04:45:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Policy Enforce Flaw Enables Cross-Origin Data Leak

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Insufficient DevTools Policy Enforcement Allows Malicious Extension to Leak Cross‑Origin Data
Weaknesses CWE-200
CWE-284

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Insufficient DevTools Policy Enforcement Allows Malicious Extension to Leak Cross‑Origin Data
First Time appeared Google
Google chrome
Weaknesses CWE-200
CWE-284
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:47:59.531Z

Reserved: 2026-05-05T22:59:32.810Z

Link: CVE-2026-8004

cve-icon Vulnrichment

Updated: 2026-05-06T21:21:11.573Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:51.390

Modified: 2026-05-06T22:16:44.427

Link: CVE-2026-8004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:30:21Z

Weaknesses