How is CVE-2026-11689 exploited?

Network reachability (required): The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host. Authentication (not-required): No credentials or account are needed; the attacker requires only that the victim's renderer process has already been compromised before this step. Victim interaction (required): The victim must load or interact with the attacker's crafted HTML page, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit does not depend on race conditions or specific memory layout and can be executed reliably once the renderer is compromised.

What is the impact of CVE-2026-11689?

Reads stored passwords and credentials protected by site isolation across origins the attacker should not be able to access. Modifies or corrupts password data persisted in Chrome's password store, potentially planting or altering saved credentials. Bypasses the site isolation boundary, allowing cross-origin data from sensitive domains to be exfiltrated through the compromised renderer. Availability is not impacted; the service continues running while the credential theft or tampering occurs silently.

Back to search

HIGHCVE-2026-11689Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11689: Insufficient policy enforcement in Passwords in Google Chrome prior to 149

Insufficient policy enforcement in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient policy enforcement vulnerability in Google Chrome's password subsystem, affecting all versions prior to 149.0.7827.103. A remote attacker who has already compromised the Chrome renderer process can exploit it by delivering a crafted HTML page, bypassing site isolation without needing any authentication. Successful exploitation gives the attacker high-confidence read access to stored credentials and the ability to tamper with password data across origins that site isolation is meant to keep separate. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle or depend on a Chrome distribution. Any image carrying a Chrome version below 149.0.7827.103 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine ticket priority and escalation path. Routing to the appropriate team inbox within each customer organization is part of the standard triage pipeline.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available through HarborGuard once the upstream fix is confirmed, which has already occurred for this CVE. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host.
AuthenticationNot required
No credentials or account are needed; the attacker requires only that the victim's renderer process has already been compromised before this step.
Victim interactionRequired
The victim must load or interact with the attacker's crafted HTML page, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit does not depend on race conditions or specific memory layout and can be executed reliably once the renderer is compromised.

Blast Radius

Reads stored passwords and credentials protected by site isolation across origins the attacker should not be able to access.
Modifies or corrupts password data persisted in Chrome's password store, potentially planting or altering saved credentials.
Bypasses the site isolation boundary, allowing cross-origin data from sensitive domains to be exfiltrated through the compromised renderer.
Availability is not impacted; the service continues running while the credential theft or tampering occurs silently.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE fires within minutes of ingestion for any image carrying Chrome below 149.0.7827.103, covering both upstream base images and custom-built images that bundle Chrome. The finding is scored at CVSS 8.1 (HIGH) and routed according to each environment's compliance policy. A rebuild at the patched version 149.0.7827.103 is available; for customers who opt into auto-remediation, HarborGuard can execute the full rebuild-and-PR flow, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding surfaces in the dashboard with remediation guidance pointing to the confirmed fix version.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available