Google has patched a low-severity security flaw in Chrome for Android that gave remote attackers a way to bypass same-origin protections through the browser’s Autofill system. Tracked as CVE-2026-11291, the vulnerability was disclosed in June 2026 and affects all versions of Chrome for Android prior to 149.0.7827.53. While rated low severity, the flaw underscores persistent risks in how browsers handle sensitive user data across websites—particularly on mobile devices where Autofill is heavily relied on for convenience.

Chrome’s Autofill feature stores and automatically populates form fields such as usernames, passwords, addresses, and credit card numbers. The feature is governed by strict origin checks that prevent one domain’s form from accessing data belonging to another domain. CVE-2026-11291 represents a breakdown in that logic: an attacker could craft a malicious page that, under specific conditions, coaxed the browser into filling fields with data from an unrelated origin. This effectively let the attacker exfiltrate confidential information without user interaction, simply by luring the victim to a compromised or attacker-controlled site.

What Is CVE-2026-11291?

CVE-2026-11291 is a low-severity security vulnerability in Google Chrome’s Android browser. The official advisory describes it as an “inappropriate implementation in Autofill on Android” that allowed a remote attacker to bypass the same-origin policy via a crafted HTML page. The flaw existed in the way Autofill logic validated the origin of form fields before populating them.

In technical terms, the browser’s Autofill engine failed to properly verify that the requesting page’s origin matched the origin associated with the stored data. Under normal operation, when a user encounters a login form on example.com, Chrome will only suggest credentials previously saved for example.com. The same-origin policy—a fundamental web security concept—ensures that scripts from one origin cannot access data from another. CVE-2026-11291 broke this contract, creating a narrow window through which cross-origin data could leak.

The vulnerability is exclusive to Android; desktop versions of Chrome use a different Autofill stack and are not affected. Google’s severity rating of “low” suggests that exploitation requires significant user interaction or unusual configurations, or that the impact is limited. Nevertheless, for Android users who store sensitive payment or login information in Chrome, the bug represented a real—if nuanced—privacy threat.

Understanding the Same-Origin Policy and Autofill

The same-origin policy is the cornerstone of client-side web security. It isolates documents and scripts retrieved from different origins, preventing them from interfering with each other. An origin is defined by the combination of scheme (protocol), hostname, and port. For instance, https://bank.com and https://attacker.com are different origins, and script from the latter should never be able to read data from the former.

Autofill in browsers sits at a unique intersection of functionality and security. It must be smart enough to identify which fields belong to which saved credentials, but never so permissive that it spills secrets across origins. Chrome achieves this by associating every saved credential set with a list of eligible sign-on realms—effectively, a list of origins or URL patterns. When a page loads with a login form, Chrome compares the page’s origin against the credential’s stored realms before offering any suggestions.

CVE-2026-11291 reveals a flaw in this comparison logic on Android. In certain edge cases—perhaps involving iframes, redirect chains, or malformed origin headers—Chrome failed to correctly match the form’s origin with the credential realm. The result: an attacker could create a form that appeared to originate from a trusted domain, tricking Autofill into releasing credentials or other sensitive data into the attacker’s page.

Attack Scenario and Real-World Impact

Exploiting this vulnerability would require a victim to visit a malicious website while having Autofill enabled in Chrome for Android. The attacker’s page could contain hidden inline frames or carefully structured forms that mimic a trusted site’s login fields. Because the same-origin check was improperly implemented, Chrome’s Autofill engine might silently fill those fields with data saved for a completely different domain—say, a user’s online banking credentials or credit card number.

The attack is remote: no physical access to the device is needed. A phishing email with a link to the malicious page, a compromised advertisement, or a drive-by download could all serve as delivery mechanisms. Once the data is extracted, the attacker could use it for identity theft, account takeover, or financial fraud.

Despite its low severity rating, the vulnerability poses a higher risk for users who rely heavily on Autofill for sensitive information. Many Android users store credit card numbers, addresses, and even passwords directly in Chrome’s Autofill system, trusting the browser’s security guarantees. A same-origin bypass undermines that trust and highlights the importance of defense-in-depth—even in features that are supposed to be airtight.

It is worth emphasizing that there are no known reports of active exploitation in the wild before the patch was released. Google’s security team likely discovered the issue internally or through its bounty program and addressed it proactively. Users who keep Chrome updated are protected.

The Patch: Chrome 149.0.7827.53

Google released Chrome for Android version 149.0.7827.53 in June 2026 to address CVE-2026-11291. The update contains the necessary fix to the Autofill origin-checking logic, ensuring that cross-origin form fields are properly sanitized and that credential suggestions are only offered for verified same-origin pages.

The patch was rolled out gradually through the Google Play Store. Users can verify their current Chrome version by navigating to chrome://version in the browser’s address bar. If the version number is below 149.0.7827.53, an update is strongly recommended. Chrome typically self-updates when the device is on Wi-Fi and plugged in, but manual checks can force the update immediately: open the Play Store, search for Chrome, and tap “Update” if available.

As with most Chrome releases, the update also includes other non-security fixes and performance improvements. Google’s release notes for this version are sparse on details, a common practice to prevent reverse engineering before the majority of users have applied the patch. The official Chrome Releases blog provides a brief entry for the 149.0.7827.53 rollout, though it primarily references the security fix tracked under CVE-2026-11291.

How to Protect Yourself

The single most effective defense against this vulnerability is updating Chrome to version 149.0.7827.53 or later. Beyond the immediate patch, users can take several additional steps to lock down their Autofill data and reduce exposure to similar bugs:

  • Review saved Autofill entries. Open Chrome, go to Settings > Addresses and more, or Settings > Payment methods, and delete any cards or addresses that aren’t strictly necessary. Fewer stored items mean a smaller attack surface.
  • Disable password Autofill for high-risk accounts. While Chrome’s password manager is convenient, consider using a dedicated password manager app that requires explicit user confirmation (e.g., a biometric check) before filling credentials on any site.
  • Enable two-factor authentication (2FA) everywhere. Even if credentials are exfiltrated, 2FA can prevent account takeover.
  • Practice cautious browsing. Avoid clicking links in unsolicited emails or text messages. Stick to known, reputable websites, especially when entering sensitive information.
  • Keep system-level defenses up to date. Ensure Android’s built-in security features like Google Play Protect are enabled, and install all system and app updates promptly.

Enterprise administrators managing Android fleets can push the Chrome update through their mobile device management (MDM) console. They should also review conditional access policies to ensure that devices with outdated browsers are blocked from accessing corporate resources until updated.

Broader Implications for Browser Security

CVE-2026-11291 is a reminder that even mature, heavily audited software like Chrome can harbor subtle design flaws. Autofill is an incredibly complex feature—it must handle countless form field naming conventions, dynamic page modifications, and cross-frame interactions, all while respecting the user’s privacy and security expectations. The same-origin bypass on Android likely resulted from a oversight in handling some edge-case combination of these factors.

The bug also highlights the platform-specific nature of security engineering. Chrome’s desktop and Android versions share much code, but they diverge in critical components like Autofill due to different UI frameworks and operating system constraints. A flaw that exists only on Android might receive less scrutiny during testing, simply because the desktop client gets the lion’s share of developer attention and external audits.

For users, the takeaway is clear: automatic updates are not just about new features—they are the frontline defense against vulnerabilities like this one. Chrome’s rapid release cycle and Google’s commitment to patching even low-severity issues quickly are what keep the vast majority of users safe. CVE-2026-11291 may be low severity on paper, but for any individual whose Autofill data was exposed, the consequences could be severe. Prompt patching is the only guaranteed protection.

Looking ahead, security researchers will likely continue to probe browser Autofill implementations across all platforms. As browsers expand their role as identity providers and payment facilitators, the attack surface within features like Autofill will only grow. CVE-2026-11291 serves as a valuable case study: convenience must never come at the expense of foundational security principles like the same-origin policy.

Users should stay alert for any further advisories related to Chrome’s Autofill functionality and always treat automatic updates as a non-negotiable part of their digital hygiene.