Skip to main content

Google Chrome EUVDEUVD-2026-34654

| CVE-2026-11193 MEDIUM
Improper Access Control (CWE-284)
2026-06-04 chrome-cve-admin@google.com GHSA-cw7x-6q47-qrj7
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:30 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Insufficient policy enforcement in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote, unauthenticated attacker to bypass discretionary access control by delivering a crafted HTML page to a victim. Per the CVSS vector (C:N/I:N/A:H), the confirmed impact is high availability disruption - notably not credential exfiltration - suggesting the bypass degrades or denies Password Manager functionality rather than exposing stored credentials. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating no widespread exploitation pressure at time of analysis.

Technical ContextAI

The vulnerability resides in Chromium's Password Manager subsystem and is classified under CWE-284 (Improper Access Control), specifically the 'Insufficient Policy Enforcement' variant tracked by Google's security team. Discretionary access control (DAC) in this context governs which origins or contexts are permitted to interact with Password Manager state. A crafted HTML page can violate these enforcement boundaries, likely by exploiting a logic gap in how the renderer process enforces cross-origin or cross-context policies around autofill/password manager APIs. The affected product is Google Chrome prior to 149.0.7827.53, as identified in the EUVD affected version range and confirmed by the Chrome stable channel advisory at chromereleases.googleblog.com.

RemediationAI

Upgrade Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released patch as confirmed by the Chrome stable channel advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism will deliver this version automatically on supported desktop platforms; administrators managing enterprise fleets should push the update via Google Admin or applicable MDM tooling. Because exploitation requires user interaction with a crafted HTML page, organizations unable to patch immediately can reduce risk by enforcing web filtering to block unknown or untrusted HTML content, though this has meaningful usability trade-offs. Disabling the built-in Password Manager entirely (via policy: PasswordManagerEnabled=false) would eliminate the attack surface at the cost of losing integrated credential autofill functionality. No additional workarounds are specified in available advisories.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy