Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)
AnalysisAI
Discretionary access control bypass in Google Chrome's Extensions subsystem affects all versions prior to 149.0.7827.53, enabling integrity compromise without exposing confidential data. Exploitation requires convincing a target user to install a crafted malicious Chrome Extension, placing social engineering at the center of any attack path. No public exploit code exists and no active exploitation has been confirmed; EPSS sits at 0.01% (1st percentile), indicating very low observed exploitation probability at time of analysis.
Technical ContextAI
The vulnerability resides in the Chrome Extensions subsystem, which implements a sandboxed permission and capability model governing what browser extensions may access or modify. CWE-284 (Improper Access Control) identifies the root cause: the enforcement logic for discretionary access controls (DAC) - the mechanism by which Chrome restricts extension capabilities to declared, user-approved permissions - contains an inappropriate implementation that can be circumvented by a specially crafted extension manifest or API call sequence. The affected codebase is tracked under Chromium issue 503375371. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms: no authentication is required at the network level, complexity is low, but user interaction (installing the extension) is mandatory. Scope is unchanged, meaning exploitation is contained to the browser's own security context rather than crossing into the underlying OS.
RemediationAI
The primary fix is upgrading Google Chrome to version 149.0.7827.53 or later, confirmed as the patched release per the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should deliver this to most users automatically; administrators managing enterprise deployments should verify the rollout via policy. As a compensating control pending patch deployment, organizations should enforce extension allow-listing through Chrome Enterprise policies (ExtensionInstallAllowlist / ExtensionInstallBlocklist), which prevents users from installing extensions not pre-approved by administrators - this directly eliminates the social engineering attack path and mitigates this vulnerability entirely. The trade-off of extension allow-listing is reduced user flexibility, but it is a broadly recommended security baseline regardless of this CVE. Blocking installation from outside the Chrome Web Store via policy (ExtensionInstallSources) provides a partial mitigation with less user friction.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34651
GHSA-mwrr-5cxr-f22w