How is CVE-2026-8881 exploited?

Network reachability (required): The attacker must be able to reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required. Authentication (not-required): No credentials or session tokens are needed; PR:N means any unauthenticated party can attempt to exploit the weak key derivation. Victim interaction (not-required): The vulnerability is exploitable without any action from a user; UI:N confirms no social engineering or click is involved. Attack complexity (info): The exploit is reliable and condition-free; AC:L indicates no race conditions, special memory layout, or environmental dependencies must be satisfied.

What is the impact of CVE-2026-8881?

An attacker recovers plaintext data that the extension encrypted under the weakly derived AES key, including any session material, credentials, or user activity records the extension was protecting. Confidentiality impact is rated HIGH (C:H), meaning the full scope of protected data is readable by the attacker, not just partial or sampled records. Integrity and availability are unaffected by this CVE; the attacker gains read access only and cannot modify or disrupt the extension's operation through this vector alone.

Back to search

HIGHCVE-2026-8881Published 2026-06-03Modified 2026-06-04CNA certcc

CVE-2026-8881: CVE-2026-8881

Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A weak cryptographic key derivation vulnerability exists in the Securly Chrome Extension versions 3.0.7 and earlier. The extension derives AES encryption keys using EVP_BytesToKey with MD5 and a single iteration, a combination that has been considered cryptographically broken since 2004 and provides no meaningful resistance to brute-force or preimage attacks. An unauthenticated attacker reachable over the network can exploit this weakness to recover encrypted data, resulting in full disclosure of confidential information protected by the extension. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Securly Chrome Extension at an affected version. No manual configuration is required for coverage to apply.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix ships. In the meantime, affected images remain flagged and visible in each environment's open-findings queue.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
AuthenticationNot required
No credentials or session tokens are needed; PR:N means any unauthenticated party can attempt to exploit the weak key derivation.
Victim interactionNot required
The vulnerability is exploitable without any action from a user; UI:N confirms no social engineering or click is involved.
Attack complexityDetail
The exploit is reliable and condition-free; AC:L indicates no race conditions, special memory layout, or environmental dependencies must be satisfied.

Blast Radius

An attacker recovers plaintext data that the extension encrypted under the weakly derived AES key, including any session material, credentials, or user activity records the extension was protecting.
Confidentiality impact is rated HIGH (C:H), meaning the full scope of protected data is readable by the attacker, not just partial or sampled records.
Integrity and availability are unaffected by this CVE; the attacker gains read access only and cannot modify or disrupt the extension's operation through this vector alone.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently available. Images containing the Securly Chrome Extension at version 3.0.7 or earlier are flagged in each customer environment's findings queue. As compensating controls, teams can consider network-policy isolation to restrict which hosts the extension-bearing container or browser environment can reach, egress filtering to limit exfiltration paths if encrypted data is transmitted externally, and feature-flag gating to disable extension functionality until a patched release is available. HarborGuard will ingest a fix version the moment one is published and, for customers with auto-remediation enabled, will initiate an image rebuild, run regression tests, and open a pull request against affected workloads automatically.

See how HarborGuard automates this

Affected packages

Securly / Securly Chrome Extension
≤ 3.0.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

kb.cert.org

Metrics

Get notified