CVE-2026-10937: Inappropriate implementation in Passwords in Google Chrome prior to 149
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An inappropriate implementation flaw in the Passwords component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to bypass the same-origin policy by tricking a user into visiting a crafted HTML page. The attack is reachable over the network and requires no authentication, only that the target user loads the malicious page. Successful exploitation gives the attacker unauthorized read access to credential data and the ability to tamper with password-related operations across origins. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium binary. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed in the upstream advisory, which it is for this CVE. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression suite, and opens a pull request against the affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must deliver the crafted HTML page to the victim over the network, requiring the target to be reachable through a browser session.
- AuthenticationNot required
No account or login is needed; the attacker only needs to get the victim to load a page they control.
- Victim interactionRequired
The victim must visit the attacker's crafted HTML page, making this a social-engineering vector requiring at least one deliberate or induced user action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- Reads stored password data and credential material managed by Chrome's Passwords component across origins that the same-origin policy would normally protect.
- Modifies or injects password-related data by bypassing the origin boundary, enabling credential tampering or silent overwrite of saved passwords.
- Enables cross-origin data theft from web applications open in other tabs or frames if those contexts interact with Chrome's password manager.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome below version 149.0.7827.53 is matched against this CVE within minutes of ingestion and surfaced as a HIGH-severity finding. A patched-image rebuild at 149.0.7827.53 is available for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fix version, executes a regression run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and remediation diff for review.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N