CVE-2026-1504 in Chrome
Summary
by MITRE • 01/27/2026
Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability CVE-2026-1504 represents a critical security flaw in Google Chrome's Background Fetch API implementation that existed prior to version 144.0.7559.110. This issue falls under the category of improper access control and data leakage mechanisms, specifically targeting cross-origin data exposure. The Background Fetch API is designed to allow web applications to perform background data transfers even when the user navigates away from the page or the browser is closed, making it a powerful feature for offline applications and large file downloads. However, the improper implementation created a pathway for malicious actors to exploit the API's functionality and access data from different origins without proper authorization.
The technical flaw stems from insufficient validation and access controls within the Background Fetch API's cross-origin handling mechanisms. When a crafted HTML page attempts to interact with background fetch operations, the vulnerable implementation fails to properly enforce same-origin policies or cross-origin resource sharing restrictions. This allows an attacker to construct malicious web content that can trigger background fetch operations against resources from different origins, potentially capturing sensitive data or credentials that should remain isolated between domains. The vulnerability specifically manifests when the browser processes background fetch requests without adequate verification of the requesting origin's permissions, creating a window for unauthorized data access.
The operational impact of this vulnerability is significant as it enables remote attackers to conduct cross-origin data leakage attacks without requiring any user interaction beyond visiting a malicious webpage. Attackers can craft HTML pages that leverage the Background Fetch API to silently access resources from other origins, potentially including cookies, session tokens, or other sensitive information that should be protected by cross-origin isolation policies. This represents a high-severity issue because it bypasses traditional security boundaries and can be exploited through standard web browsing activities, making it particularly dangerous in environments where users may visit untrusted websites. The attack vector is particularly concerning as it operates entirely within the browser's normal execution environment without requiring any additional privileges or specialized tools.
Organizations should immediately update their Chrome installations to version 144.0.7559.110 or later to mitigate this vulnerability, as the fix addresses the core implementation flaw in the Background Fetch API's cross-origin handling. System administrators should also implement additional monitoring for unusual background fetch activity and consider deploying web application firewalls that can detect and block suspicious cross-origin requests. The vulnerability aligns with CWE-284 (Improper Access Control) and can be categorized under ATT&CK technique T1071.004 (Application Layer Protocol: DNS) when used in conjunction with DNS-based data exfiltration methods. Security teams should also review their existing security policies to ensure that background fetch operations are properly restricted and monitored, particularly in environments where sensitive data processing occurs. The fix implemented by Google addresses the root cause by strengthening the origin validation mechanisms and ensuring proper enforcement of cross-origin isolation policies within the Background Fetch API implementation.