CVE-2026-11291 in Chrome
Summary
by MITRE • 06/05/2026
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability resides in the Android Autofill implementation within Google Chrome on Android systems prior to version 149.0.7827.53, representing a security flaw that could potentially allow remote attackers to circumvent critical web security mechanisms. The issue stems from improper handling of cross-origin resource sharing restrictions within the browser's autofill functionality, creating a pathway for malicious actors to exploit the same origin policy enforcement. The vulnerability is classified as low severity by Chromium security standards but remains significant due to its potential to undermine fundamental web security principles that protect user data and privacy. The affected implementation fails to properly validate or enforce origin-based restrictions when processing autofill-related operations, allowing crafted HTML content to manipulate the browser's security boundaries.
The technical flaw manifests when Chrome processes web pages containing maliciously constructed HTML elements that interact with the autofill system in ways that bypass normal cross-origin restrictions. This occurs because the autofill implementation does not adequately verify the originating domain of autofill requests or responses, enabling attackers to inject or manipulate autofill data from unauthorized origins. The vulnerability specifically impacts how Chrome handles same origin policy enforcement within its Android Autofill framework, where legitimate autofill operations should be restricted to the same origin as the requesting page. Attackers can craft HTML pages that exploit this gap to perform unauthorized autofill operations, potentially accessing or manipulating sensitive user data that should remain isolated to its originating domain. This flaw operates at the intersection of browser security policies and web application interfaces, creating an unexpected attack vector through the seemingly benign autofill functionality.
The operational impact of this vulnerability extends beyond simple data exposure, as it represents a potential pathway for more sophisticated attacks that could lead to credential theft, session hijacking, or data manipulation. While the initial severity classification is low, the vulnerability's ability to bypass same origin policy enforcement creates opportunities for attackers to perform cross-origin data leakage or manipulation. In practical scenarios, this could allow an attacker to inject malicious autofill data into forms on legitimate websites, potentially capturing user credentials or personal information. The vulnerability is particularly concerning in mobile environments where users may be less vigilant about security warnings or may interact with untrusted websites. The attack surface is expanded by the fact that the vulnerability affects the Android version of Chrome, which is widely used and often integrated into other applications and services that rely on web-based authentication or data entry mechanisms.
Mitigation strategies should focus on immediate software updates to version 149.0.7827.53 or later, which contains the necessary patches to properly enforce same origin policy restrictions within the autofill implementation. System administrators and users should prioritize updating their Chrome installations to ensure protection against this specific vulnerability. Additional protective measures include implementing network-level monitoring to detect anomalous autofill-related traffic patterns, enabling browser security features such as strict content security policies, and conducting regular security assessments of web applications that utilize autofill functionality. Organizations should also consider implementing web application firewalls or security proxies that can detect and block suspicious cross-origin autofill requests. The vulnerability aligns with CWE-345 Insufficient Verification of Data Authenticity, as the system fails to properly authenticate or verify the origin of autofill data. From an ATT&CK framework perspective, this vulnerability maps to T1531 Account Access Removal and T1071.001 Application Layer Protocol Web Protocols, as it enables unauthorized access to web-based authentication systems through manipulation of browser security controls. Regular security audits should also verify that no custom implementations or third-party extensions are bypassing the patched security controls, as these could potentially reintroduce similar vulnerabilities.