Description
Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in Google Chrome’s Federated Credential Management (FedCM) prior to version 148.0.7778.96 allowed a remote attacker to leak cross‑origin data via a crafted HTML page. The likely attack vector is a malicious web page that leverages FedCM’s insufficient input validation. This is a classic input validation flaw (CWE‑20) and a missing authentication flaw (CWE‑346) that can expose information across origins but does not provide direct code execution or denial‑of‑service capabilities.

Affected Systems

The flaw affects installations of Google Chrome on desktop platforms using FedCM, specifically all releases prior to Chrome 148.0.7778.96. Based on the description, it is inferred that any user who interacts with a malicious page that triggers FedCM will be at risk of data leakage across origin boundaries.

Risk and Exploitability

The CVE has a CVSS score of 4.3, indicating low severity. The EPSS score of <1% suggests a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, implying no widespread exploitation has been reported. The likely attack vector is a malicious web page that exploits FedCM's insufficient input validation, requiring user interaction to load the page. Successful exploitation exposes cross‑origin data to the attacker. While the potential impact is limited to data exposure, the lack of mitigations could still enable attackers to harvest sensitive information from unsuspecting users.

Generated by OpenCVE AI on May 9, 2026 at 04:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.96 or later
  • Disable FedCM in Chrome if not needed by navigating to chrome://flags (or via enterprise policy) to mitigate the vulnerability until a patch is available
  • Ensure Chrome auto‑update is enabled or install the latest release manually to receive future security updates

Generated by OpenCVE AI on May 9, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in FedCM
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via FedCM Input Validation in Google Chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via FedCM Input Validation in Google Chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:34.398Z

Reserved: 2026-05-05T22:59:35.052Z

Link: CVE-2026-8013

cve-icon Vulnrichment

Updated: 2026-05-06T20:59:15.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:52.250

Modified: 2026-05-07T15:19:30.703

Link: CVE-2026-8013

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:45:26Z

Weaknesses