Google shipped Chrome 150 on June 29, plugging a critical security hole that let attackers steal information from websites you’re logged into—simply by luring you to a malicious page. The vulnerability, tracked as CVE-2026-14059, was disclosed by the National Vulnerability Database on June 30 and affects every Chrome release before version 150.0.7871.47.
If you haven’t restarted Chrome in a day or two, the browser is probably still vulnerable. The fix landed in the stable channel on June 29, and the update will roll out automatically over the coming days, but you can (and should) force it right now.
The flaw: tricking Chrome’s site-family rules
CVE-2026-14059 is a classic same-origin policy bypass, but with a modern twist. Normally, a page on attacker.com cannot read data from bank.com because the browser enforces strict origin boundaries. However, Chrome—and most Chromium-based browsers—supports a feature called Related Website Sets (formerly First-Party Sets). This allows an organization to declare that several of its domains (like google.com and youtube.com) belong to the same “first party,” so they can share cookies and other data for convenience while still blocking unrelated sites.
The bug allowed a remote attacker to craft a specially designed page that abused the Related Website Sets logic. According to the NVD entry, the flaw could be exploited by tricking a user into visiting a malicious website, which would then leak cross‑origin data—potentially including authentication tokens, personally identifiable information, or other sensitive content the user had access to on a completely different site.
The vulnerability is classified as critical, though a CVSS severity score hasn’t been published yet by NVD at the time of writing. Google assigned it a High severity in its own tracking.
Who is affected
Any desktop Chrome installation running a version older than 150.0.7871.47 is vulnerable. That includes:
- Chrome 149 and all earlier stable releases.
- Chrome 150 builds released before the patch was promoted to stable (the first stable 150 build was likely 150.0.7871.11 or similar).
- Chromium-based browsers that haven’t yet merged the fix (Microsoft Edge, Brave, Vivaldi, Opera, etc.). Edge usually ships Chromium updates within a day or two; other derivatives lag behind.
Mobile versions of Chrome are likely affected as well, though Google’s advisory typically groups desktop and mobile patches together. The exact mobile build number hasn’t been confirmed, but the fix will arrive through the Play Store update.
If your browser says “Chrome is up to date” and shows version 150.0.7871.47 or higher, you’re protected. If the version string is anything less, you aren’t.
What’s at stake for everyday users
Because the attack requires only that a victim visits a malicious page—no downloads, no clicks on pop-ups—it fits the profile of a drive‑by web exploit. An attacker could host the exploit on a compromised legitimate site, embed it in a web ad, or send a link via email or messaging. When the page loads, the exploit silently extracts data from other sites that the user is authenticated to.
In practical terms, the stolen data could include:
- Login session cookies that would let an attacker impersonate the victim on services like email, banking, or cloud storage.
- Contents of web pages the user has open in other tabs, if those pages are part of a Related Website Set that the attacker’s page can manipulate.
- Personal information autofilled on one site but readable by another thanks to the origin‑bypass.
The attack does not require the victim to be logged into the attacker’s site. It exploits how Chrome interprets the relationships between the attacker’s domain and the target domain through the Related Website Sets mechanism.
The business and IT impact
For organizations, the risk is amplified. Employees using unpatched Chrome on work devices could have corporate single‑sign‑on sessions stolen, granting attackers access to internal tools, HR systems, or cloud consoles. Because many enterprises rely on Related Website Sets for seamless cross‑domain authentication (for example, allowing login across a corporate portal and a partner support site), a vulnerability in this area undermines that trust model.
IT administrators should push emergency Chrome updates to all managed endpoints immediately. Group Policy or third‑party patch management tools can force the update and restart the browser. Google’s Chrome Enterprise release notes typically lag a few hours behind the consumer stable release, but the patch payload is identical.
Additionally, any web application that relies on Related Website Sets for security decisions—say, treating two domains as equally trusted—should be audited. The flaw suggests that the browser’s enforcement of set boundaries was insufficient, meaning that even well‑configured sets could have been exploited.
How we got here: Related Website Sets and cross‑origin headaches
Related Website Sets debuted in Chrome 113 (mid‑2023) as a replacement for Third‑Party Cookie deprecation workarounds. The idea was to let a parent domain list sibling domains that should be treated as “same‑site” for specific purposes—preserving embedded content, shared logins, or single‑sign‑on flows—without resorting to third‑party cookies.
Google’s submission process requires domains to meet strict ownership and policy criteria, and the list of sets is baked into Chrome and updated with each release. In theory, only the domains within an approved set get relaxed cross‑domain restrictions; all others remain isolated.
CVE-2026-14059 indicates that an attacker could game this system. Perhaps by registering a domain that appeared to be part of a set when it wasn’t, or by crafting requests that confused Chrome’s set‑membership checks. The NVD description—remote attacker, crafted request, cross‑origin data leak—suggests a logic flaw rather than a memory corruption bug, which often makes exploit development simpler and more reliable.
This isn’t the first time Chrome’s site‑boundary machinery has been outflanked. Similar same‑origin bypass CVEs have appeared regularly (CVE-2022-3656, CVE-2023-2312, among others), and each prompts a re‑examination of how browsers balance user convenience with ironclad isolation.
What you need to do now
-
Check your Chrome version. Click the three‑dot menu → Help → About Google Chrome. The build number is listed below the browser name.
-
Trigger the update. On the About page, Chrome will automatically check for updates. If an update is found, let it download and then click “Relaunch.”
-
After relaunch, verify the version again. You should see 150.0.7871.47 or a higher build number. (Note: The stable channel build number may increment slightly if a minor revision ships later; any build at or above 150.0.7871.47 includes the fix.)
-
Restart any other Chromium‑based browsers and check for updates there as well. Microsoft Edge, Brave, Opera, and Vivaldi typically rebase on the latest Chromium within days. Manually checking for updates in each browser’s settings is prudent.
-
Enable automatic updates or enterprise patching. For personal use, Chrome updates itself silently, but you can confirm by visiting
chrome://settings/help. For IT‑managed fleets, use your endpoint management console to approve and deploy the update. -
Stay vigilant for signs of session hijacking. Until all browsers are patched, monitor accounts for unusual activity. If you suspect a session was stolen, revoke active sessions via each service’s security settings and change passwords.
The bigger picture and what’s next
The discovery of CVE-2026-14059 comes as browsers are reshaping fundamental web privacy architecture. Related Website Sets was intended to help sites adapt to a cookieless future, but this vulnerability shows that every new mechanism introduces attack surface.
Google has not said whether this flaw was exploited in the wild before the patch. The NVD’s publication on June 30—one day after the stable channel release—suggests the disclosure was coordinated, but the absence of an “exploitation detected” statement leaves the door open. Security researchers will soon publish proof‑of‑concept code, making it critical to patch before that happens.
For Windows users in particular, Chrome remains the dominant pathway to the web. Keeping it updated is the simplest and most effective defence against drive‑by attacks. If you haven’t clicked “Relaunch” yet, now is the time.