How is CVE-2026-8874 exploited?

Network reachability (info): The attacker must be present on the same adjacent network as the victim, such as a shared LAN, Wi-Fi segment, or VPN, to intercept the unencrypted HTTP fetch. Authentication (not-required): No credentials or account are needed; any unauthenticated party on the adjacent network can carry out the attack. Victim interaction (not-required): The extension fetches the JSON files automatically in the background, so no user action is required to trigger the vulnerable request. Attack complexity (info): Exploiting this requires only a standard HTTP interception or spoofing tool on the local network segment; no race conditions or special environmental conditions are needed.

What is the impact of CVE-2026-8874?

An attacker reads the plaintext crisis alert keyword lists and content-filtering rules as they travel over the network, exposing the full rule configuration. An attacker modifies the downloaded JSON payload in transit, replacing or removing crisis keywords so that the extension fails to trigger alerts for at-risk users. An attacker injects arbitrary filtering rules, causing the extension to block or allow content categories that the deploying organization did not intend.

Back to search

HIGHCVE-2026-8874Published 2026-06-03Modified 2026-06-04CNA certcc

CVE-2026-8874: CVE-2026-8874

Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 3.0.7
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a man-in-the-middle vulnerability affecting the Securly Chrome Extension versions prior to 3.0.7. The extension fetches JSON files containing crisis alert keywords and content-filtering rules over unencrypted HTTP, allowing an attacker on the same network segment to intercept and tamper with those downloads. Successful exploitation lets an attacker silently modify the keyword and filtering rule sets the extension relies on, suppressing alerts or bypassing content controls. A patched-image rebuild at version 3.0.7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8874 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Securly Chrome Extension. No manual feed configuration is required for coverage to take effect.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy, with particular attention to policies covering content-safety or student-safety controls where suppression of crisis alerts carries elevated organizational risk. Triage routing delivers the finding to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at version 3.0.7 becomes available on HarborGuard for any image found to include an affected version of the extension. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be present on the same adjacent network as the victim, such as a shared LAN, Wi-Fi segment, or VPN, to intercept the unencrypted HTTP fetch.
AuthenticationNot required
No credentials or account are needed; any unauthenticated party on the adjacent network can carry out the attack.
Victim interactionNot required
The extension fetches the JSON files automatically in the background, so no user action is required to trigger the vulnerable request.
Attack complexityDetail
Exploiting this requires only a standard HTTP interception or spoofing tool on the local network segment; no race conditions or special environmental conditions are needed.

Blast Radius

An attacker reads the plaintext crisis alert keyword lists and content-filtering rules as they travel over the network, exposing the full rule configuration.
An attacker modifies the downloaded JSON payload in transit, replacing or removing crisis keywords so that the extension fails to trigger alerts for at-risk users.
An attacker injects arbitrary filtering rules, causing the extension to block or allow content categories that the deploying organization did not intend.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-8874 runs automatically against all registered images, with results surfaced at HIGH severity (CVSS 7.1). Where an affected version of the Securly Chrome Extension is detected, a rebuild targeting version 3.0.7 is made available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the 3.0.7 fix so engineers can act without additional research.

See how HarborGuard automates this

Fix available

3.0.7

Affected packages

Securly / Securly Chrome Extension
< 3.0.7 (from 0)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

kb.cert.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available