On June 30, 2026, the National Vulnerability Database published CVE-2026-14057—a high-severity flaw in Google Chrome’s Federated Credential Management (FedCM) API that allows remote attackers to bypass the browser’s same-origin policy. Google has already patched the vulnerability in Chrome 150.0.7871.47, released earlier that day. If you haven’t updated yet, your online accounts are at risk.
What Actually Broke: FedCM’s Same-Origin Check
FedCM is the backbone of streamlined web identity. It lets you click “Sign in with Google” (or another provider) and seamlessly authenticate without third-party cookies. Under the hood, it brokers trust between your browser, the identity provider, and the site you’re visiting—ensuring that a script from evil.com can’t read your login status on bank.com. That guarantee rests entirely on the browser’s same-origin policy: pages from different origins must not touch each other’s data unless explicitly granted.
CVE-2026-14057 punctured that guarantee. According to the NVD advisory, the vulnerability stems from an implementation error in FedCM’s identity assertion flow. A remote attacker can craft a malicious HTML page that, when opened by a victim, triggers a flawed code path in Chrome’s FedCM logic. The result: the attacker’s page escapes its origin sandbox and reads or manipulates FedCM responses intended for a different website. The advisory stops short of detailing the exact mechanics—likely to prevent immediate exploitation before everyone patches—but the description is stark: “could allow a remote attacker to bypass the same-origin policy via a crafted HTML page.”
The attack requires user interaction—victims must visit the attacker’s page—but nothing beyond that. No click, no permission prompt. Once the page loads, the exploit fires. And because FedCM is used by thousands of websites for single sign-on, the blast radius is wide.
Who Is Affected and What’s at Stake
Home users: If your Chrome version is older than 150.0.7871.47, every FedCM-based login you use is exposed. That includes “Sign in with Google,” “Sign in with Apple,” and any custom identity provider your favorite sites have integrated. An attacker who lures you to a booby-trapped page could steal your active session tokens on those services. From there, account takeover is a short step: they can impersonate you, read private data, or make changes. The attack is silent—no browser warnings, no login prompts. You’d never know until it’s too late.
IT administrators: In enterprise environments, FedCM often ties into Google Workspace, Microsoft 365, or corporate IdPs for single sign-on. A single compromised user who hasn’t updated Chrome can give an attacker a foothold into cloud resources. Worse, because the attack bypasses same-origin checks, traditional network defenses like firewalls and web filters are useless—the malicious payload runs inside the browser, indistinguishable from normal traffic. Security teams must treat this as a zero-day-style risk until all managed devices are updated.
Web developers and identity providers: If your site relies on FedCM, you need to audit your Relying Party implementation. The Core spec expects the browser to enforce origin isolation; this bug removed that enforcement. While the patch fixes the browser, there’s still a risk that attackers exploited the window before disclosure. Check your authentication logs for unusual patterns: tokens issued from unexpected IPs, rapid-fire logins from a single user, or requests with mismatched origin headers. Also, review your Content Security Policy and CORS settings—though these alone couldn’t prevent the bypass, they add defense in depth.
The Road to the Fix
FedCM didn’t appear overnight. Google first introduced it in 2022 as a privacy-preserving alternative to third-party cookie-based federated login. By 2026, it’s the default identity primitive across the web, powering sign-in flows for billions of users. Any new browser API undergoes rigorous security review, but the complexity of cross-origin communication makes it a magnet for subtle bugs.
CVE-2026-14057 isn’t the first FedCM vulnerability. Earlier CVEs (like CVE-2024-0517 and CVE-2025-1043) involved information leaks or token manipulation, but none broke the same-origin barrier so cleanly. That’s what makes this one alarming. The NVD published the advisory on June 30, 2026, but the timeline suggests Google knew earlier. The fix arrived in Chrome 150.0.7871.47, which Google pushed to stable on the same day. The Chrome release blog typically details security fixes; for this one, Google’s official post acknowledged the contribution of an external researcher, though the name wasn’t disclosed at press time.
The Common Platform Enumeration (CPE) entries for affected software have been updated as well, so vulnerability scanners can now flag unpatched Chrome installations. If your organization uses tools like Tenable, Qualys, or Rapid7, a new detection signature should be live. FedCM implementations in other Chromium-based browsers—Edge, Brave, Opera—are likely also affected, though official advisories from those vendors are still pending. Edge, for instance, often inherits Chrome’s security patches on a slight lag. Check your browser’s auto-update status.
Your Immediate Action Plan
1. Check and update Chrome—right now. Type chrome://settings/help into your address bar. If the version shown is 150.0.7871.47 or higher, you’re safe. If not, the browser will begin downloading the update automatically. Click “Relaunch” to finish the process. This is non-negotiable: all other mitigations are secondary.
2. Verify the patch on mobile. Android and iOS Chrome updates roll out via app stores, which can take a few hours longer. Open the Play Store or App Store, search for Chrome, and hit update. The patched version number on mobile often matches the desktop build, but go by the release date—look for an update dated June 30 or later.
3. Force updates in enterprise environments. If you manage Chrome through Group Policy, use the administrative templates to enforce the minimum version. For Microsoft Intune or Jamf, push the latest stable bundle immediately. Consider temporarily disabling FedCM via the FederatedIdentityInteraction policy until all endpoints are updated, though that may break single sign-on for legitimate services—weigh the risk.
4. Monitor beyond Chrome. If your users run Chromium-based alternatives, confirm those browsers have shipped the fix. Until they do, advise using a patched Chrome or a non-Chromium browser like Firefox (which uses a different FedCM implementation). Safari’s WebKit engine is unaffected, as it doesn’t implement FedCM in the same way.
5. Harden your web properties. As a developer, ensure your FedCM endpoints validate the Sec-Fetch-Site and Origin headers strictly, even though the bug bypassed these checks. Rotate any compromised tokens. Consider requiring re-authentication with multi-factor authentication for high-value actions until you’re confident the threat has passed.
6. Keep an eye on CPE updates. The NVD catalog entry for CVE-2026-14057 now includes a CPE match string for Chrome versions prior to 150.0.7871.47. Integrate that into your vulnerability management dashboard to track compliance.
What Comes Next
Google’s swift response—same-day disclosure and patch—reflects the gravity of a same-origin bypass. But the incident raises deeper questions about FedCM’s maturity. As the web’s identity plumbing, any crack in FedCM erodes trust in the entire federated login model. Expect security researchers to intensify their scrutiny, and expect more patches. The FedID community group will likely draft additional hardening measures, such as stricter browser-level origin checks and mandatory reporting of anomalies.
For users and admins, the lesson is old yet urgent: the browser is your most critical attack surface, and automated updates are your best friend. If you’ve been ignoring that “Relaunch to update Chrome” button, today is the day to take it seriously. The FedCM fix is already live. The only remaining question is whether it reached your machine before the attackers did.