CVE-2026-5901
Policy Bypass in Chrome DevTools via Malicious Extension
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Chrome
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chrome | to 147.0.7727.55 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an insufficient policy enforcement issue in the DevTools component of Google Chrome versions prior to 147.0.7727.55. It allows an attacker who convinces a user to install a malicious Chrome extension to bypass enterprise host restrictions related to cookie modification by using a specially crafted extension.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to bypass enterprise restrictions on cookie modification, potentially leading to unauthorized changes to cookies. This could affect user privacy and security by enabling malicious extensions to manipulate cookies despite policy controls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Google Chrome to version 147.0.7727.55 or later, as the issue is fixed in that version.
Additionally, be cautious about installing Chrome extensions from untrusted sources to prevent malicious extensions from bypassing enterprise host restrictions.