CVE-2026-14155 in Chromeinfo

Summary

by MITRE • 07/01/2026

Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability under discussion involves insufficient policy enforcement within the StorageAccessAPI implementation in Google Chrome versions prior to 150.0.7871.47, representing a security weakness that could be exploited by remote attackers to facilitate cross-origin data leakage. This issue resides in the browser's handling of storage access permissions and demonstrates a failure in maintaining proper isolation between different origins within the web platform's security model. The StorageAccessAPI is designed to enable websites to request access to third-party storage, but when inadequate policy enforcement exists, it creates opportunities for malicious actors to bypass intended security boundaries.

The technical flaw manifests through the improper validation of origin policies when processing StorageAccessAPI requests. This weakness allows a crafted HTML page to manipulate the API's behavior in ways that were not intended by the browser's security architecture. Attackers can construct malicious web pages that exploit this gap to access storage data from different origins without proper authorization, effectively breaking down the cross-origin isolation mechanisms that are fundamental to web security. The vulnerability specifically targets the permission model that should prevent unauthorized access to storage resources across different domains and origins.

The operational impact of this vulnerability extends beyond simple information disclosure, as it undermines the core security assumptions of the modern web platform's storage management system. When an attacker successfully exploits this weakness, they can potentially access sensitive user data stored in third-party contexts, including cookies, local storage entries, and other persistent storage mechanisms that should remain isolated between origins. This capability significantly increases the attack surface for cross-site scripting scenarios and could enable more sophisticated attacks such as session hijacking or data exfiltration from authenticated web applications.

The vulnerability aligns with CWE-693, which addresses protection mechanism failures in web applications, specifically highlighting inadequate policy enforcement mechanisms that should prevent unauthorized access patterns. From an ATT&CK framework perspective, this weakness maps to techniques involving credential access and data exfiltration through browser-based vulnerabilities. The low severity classification from Chromium security team reflects the specific nature of the attack vector requiring a crafted HTML page, but the underlying risk remains significant as it represents a breakdown in fundamental web security boundaries that could potentially be leveraged in combination with other vulnerabilities.

Mitigation strategies should prioritize updating to Chrome version 150.0.7871.47 or later where the policy enforcement has been properly strengthened. Administrators and developers should also implement additional security measures such as strict content security policies, regular browser updates, and monitoring for suspicious storage access patterns. The fix likely involves strengthening the validation of origin permissions within the StorageAccessAPI implementation to ensure that only legitimate requests from authorized origins can access third-party storage resources, thereby restoring proper isolation between different web contexts. Organizations should also consider implementing additional network-level protections and user education initiatives to reduce the risk of successful exploitation through crafted web content.

Responsible

Chrome

Reservation

06/30/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!