How is CVE-2026-8889 exploited?

Network reachability (required): The affected URL-matching logic is exposed over the network, meaning an attacker must be able to deliver crafted URLs or content to the extension via standard network access. Authentication (not-required): No authentication is required; the extension processes URL matching without any credential check on the submitting party. Victim interaction (not-required): No victim interaction is needed; the extension processes URLs passively without requiring a user to take a deliberate action beyond normal browsing. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker can supply a URL that produces a SHA-1 collision or prefix match against the blocklist hashes.

What is the impact of CVE-2026-8889?

An attacker can craft URLs that produce SHA-1 collisions, bypassing CSAM URL matching across up to 25,020 hashes and CIPA blocklist matching across up to 12,352 hashes. Content filtering protections are defeated, allowing blocked URLs to be accessed as if they were never on the blocklist. The confidentiality impact is high: the weakness exposes the predictability and structure of the hash corpus, enabling enumeration or inference of blocked URL patterns.

Back to search

HIGHCVE-2026-8889Published 2026-06-03Modified 2026-06-10CNA certcc

CVE-2026-8889: CVE-2026-8889

Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a cryptographic weakness in the Securly Chrome Extension version 3.0.7 and earlier, where SHA-1 hashing is used for URL matching against CSAM and CIPA blocklists. The vulnerability is reachable over the network with no authentication required, as any network-accessible content or URL can interact with the affected matching logic. Successful exploitation allows an attacker to craft URLs that collide with or bypass the hash-based blocklist checks, exposing confidential hash data and defeating content filtering protections. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-8889 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries, CI/CD pipelines, and custom-built images containing the Securly Chrome Extension at or below version 3.0.7.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH based on the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer releases a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected URL-matching logic is exposed over the network, meaning an attacker must be able to deliver crafted URLs or content to the extension via standard network access.
AuthenticationNot required
No authentication is required; the extension processes URL matching without any credential check on the submitting party.
Victim interactionNot required
No victim interaction is needed; the extension processes URLs passively without requiring a user to take a deliberate action beyond normal browsing.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker can supply a URL that produces a SHA-1 collision or prefix match against the blocklist hashes.

Blast Radius

An attacker can craft URLs that produce SHA-1 collisions, bypassing CSAM URL matching across up to 25,020 hashes and CIPA blocklist matching across up to 12,352 hashes.
Content filtering protections are defeated, allowing blocked URLs to be accessed as if they were never on the blocklist.
The confidentiality impact is high: the weakness exposes the predictability and structure of the hash corpus, enabling enumeration or inference of blocked URL patterns.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active for all environments running images that include the Securly Chrome Extension at version 3.0.7 or earlier. Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment a fix is released. In the interim, compensating controls available through HarborGuard include network-policy isolation to restrict the extension's outbound URL resolution paths, egress filtering to limit exposure surfaces, and policy-level flagging of the affected image layer to block promotion to production until the fix is available. Where compliance policy permits, affected images are held at a warning gate in the pipeline rather than failing silently.

See how HarborGuard automates this

Affected packages

Securly / Securly Chrome Extension
≤ 3.0.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

kb.cert.org

Metrics

Get notified