Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Insufficient policy enforcement in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote, unauthenticated attacker to bypass discretionary access control by delivering a crafted HTML page to a victim. Per the CVSS vector (C:N/I:N/A:H), the confirmed impact is high availability disruption - notably not credential exfiltration - suggesting the bypass degrades or denies Password Manager functionality rather than exposing stored credentials. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating no widespread exploitation pressure at time of analysis.
Technical ContextAI
The vulnerability resides in Chromium's Password Manager subsystem and is classified under CWE-284 (Improper Access Control), specifically the 'Insufficient Policy Enforcement' variant tracked by Google's security team. Discretionary access control (DAC) in this context governs which origins or contexts are permitted to interact with Password Manager state. A crafted HTML page can violate these enforcement boundaries, likely by exploiting a logic gap in how the renderer process enforces cross-origin or cross-context policies around autofill/password manager APIs. The affected product is Google Chrome prior to 149.0.7827.53, as identified in the EUVD affected version range and confirmed by the Chrome stable channel advisory at chromereleases.googleblog.com.
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released patch as confirmed by the Chrome stable channel advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism will deliver this version automatically on supported desktop platforms; administrators managing enterprise fleets should push the update via Google Admin or applicable MDM tooling. Because exploitation requires user interaction with a crafted HTML page, organizations unable to patch immediately can reduce risk by enforcing web filtering to block unknown or untrusted HTML content, though this has meaningful usability trade-offs. Disabling the built-in Password Manager entirely (via policy: PasswordManagerEnabled=false) would eliminate the attack surface at the cost of losing integrated credential autofill functionality. No additional workarounds are specified in available advisories.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34654
GHSA-cw7x-6q47-qrj7