Google has patched a medium-severity vulnerability in Chrome for Android that allowed remote attackers to spoof domain information inside WebAPK wrappers. Tracked as CVE-2026-11127, the flaw affects all Chrome versions prior to 149.0.7827.53 and was fixed in the stable channel update released on June 4, 2026. The advisory warns that a malicious actor could “spoof a domain through a crafted HTML page,” potentially tricking users into believing they are interacting with a legitimate site while credentials or personal data are harvested by an impostor.

WebAPKs are a critical but often overlooked part of the modern Android ecosystem. They allow Progressive Web Apps (PWAs) to be installed from the browser, appearing in the app drawer and launching in a standalone window with no traditional browser chrome. Under the hood, the rendering engine is still Chromium, and the URL bar—when present—should always reflect the true origin of the content. CVE-2026-11127 broke that trust, creating a gap between the displayed address and the actual source of the page.

What are WebAPKs and why should you care?

A WebAPK is essentially a native Android package generated by Chrome when a user chooses to “Install App” on a PWA. The service worker, manifest, and assets are bundled into an APK that can be launched like a normal app, yet it runs inside a Chrome-based runtime. This mechanism bridges the gap between web apps and native apps, offering seamless installation, push notifications, and access to device hardware.

Because WebAPKs inherit the permissions and identity of the origin they were installed from, the integrity of the domain is paramount. If an attacker can manipulate what is shown in the address bar or—more subtly—what origin the WebView thinks it is connected to, the entire trust model collapses. A user who installed a banking PWA, for instance, expects every screen to belong to the bank’s URL; a spoofed domain could easily coax them into surrendering credentials.

Understanding domain spoofing in WebAPKs

Domain spoofing in this context means displaying a URL or origin that does not match the actual content. This can be achieved through flaws in navigation handling, URL parsing, or the mechanisms that enforce same-origin policy inside the WebAPK shell. Often, such vulnerabilities involve the interaction between WebViews and intent handlers, or the way the service worker processes cross-origin redirects.

In Chrome for Android, the WebAPK launcher activity (WebappActivity) is responsible for rendering the PWA inside a custom ChromeTabbedActivity. The address bar is typically hidden, but it can be invoked by certain user actions or, more importantly, by the app’s manifest. An attacker who can force a different URL to be displayed—perhaps by exploiting a race condition during page load or by crafting a link that triggers a non‑obvious navigation—could present a visually identical login form while the WebView quietly loads content from a phishing server.

Technical breakdown of CVE-2026-11127

Specific details of the flaw are still under limited disclosure as Google’s security team evaluates the scope. However, the advisory’s description—“a remote attacker who had compromised the renderer process could spoof a domain via a crafted HTML page”—hints at a possible compromise of the renderer. In Chrome’s multi‑process architecture, a compromised renderer must not be able to influence privileged UI elements such as the omnibox. If a renderer exploit or a logic bug allowed JavaScript to overwrite the displayed origin, the confidentiality and integrity of the whole WebAPK session would be at risk.

The CVE was reported by an external researcher on April 12, 2026, and awarded a bounty under Google’s Vulnerability Reward Program. The prompt fix and medium severity classification suggest the attack requires either a separate compromise of the renderer or some level of user interaction, reducing its immediate exploitability. Nevertheless, for high‑value targets—financial services, cryptocurrency exchanges, enterprise dashboards—the impact could be severe if combined with a social engineering campaign.

Impact and real‑world attack scenarios

An attacker armed with CVE-2026-11127 could craft a web page that, when visited inside a WebAPK, causes the displayed domain to change while the underlying session remains under the attacker’s control. For example, a malicious link shared via email or instant messaging could be opened by a user who trusts their installed “outlook.com” PWA. Once clicked, the WebAPK might show “outlook.com” in the URL bar, but the actual traffic is being proxied through an attacker‑controlled server, silently stealing authentication tokens or session cookies.

Because many PWAs rely on OAuth 2.0 flows or session‑based authentication, a spoofed domain could also intercept authorization codes. If the PWA has been granted sensitive permissions—camera, location, storage—those capabilities remain in the context of the hijacked origin, further amplifying the breach.

Why is this rated “medium” severity?

Google’s severity guidelines for Chrome vulnerabilities assign High or Critical ratings to bugs that do not require significant interaction and can be exploited automatically. A Medium rating often indicates that the attack requires tricking the user into performing a specific action, that it is limited to a particular architecture, or that it can only be exploited under certain conditions. In this case, the reliance on a compromised renderer or user navigation likely pushed it into the medium bucket. Still, it would be a mistake to underestimate it: for targeted attacks on high‑net‑worth individuals or corporate devices, the risk is very real.

The fix and how to update

All users of Chrome for Android should immediately verify they are running version 149.0.7827.53 or later. The update is being rolled out over the next few days via Google Play Store, but you can manually check by visiting chrome://version in the browser or tapping “Update” on the app’s Play Store page.

For enterprise administrators managing devices through MDM or Google Play Protect, it is critical to enforce a minimum version policy and ensure automatic updates are enabled. Because WebAPKs rely on the installed Chrome version, updating the browser instantly patches all installed PWAs—no individual app updates are necessary.

Developers who publish PWAs should also review their Content Security Policy (CSP) headers, ensure that all navigations use explicit targets, and consider implementing origin checks via JavaScript to detect any mismatch between window.location and the expected origin. While these measures cannot prevent the underlying vulnerability, they provide an additional layer of defense against exploitation.

A history of WebAPK and Chrome address bar spoofing

CVE-2026-11127 is not an isolated incident. Chrome on both desktop and mobile has battled address bar spoofing repeatedly. In 2023, CVE-2023-3214 allowed a malicious site to hide the true URL during a slow navigation. Earlier, CVE-2020-16044 exploited a timer‑based race in the handling of cross‑origin redirects. In 2025, a series of WebAPK‑specific issues were fixed (CVE-2025-1098, CVE-2025-1101) involving improper isolation of WebViews.

Each of these bugs erodes the fundamental contract of the browser: that the address bar shows you where you are. For WebAPKs, this contract is even more fragile because the UI is minimal and users have been conditioned to trust installed apps. The growing convergence of web and native app models means that future exploits will likely target these hybrid environments.

Broader implications for Progressive Web Apps

As PWAs gain traction—spurred by Apple’s reluctant support and Google’s aggressive pushing—WebAPKs are becoming the default installation path for millions of Android users. This attack surface is only going to grow. A successful spoof in a popular PWA could undermine adoption across the entire ecosystem.

Google has been investing in stronger isolation for WebAPKs, including site‑isolation features that run each origin in a separate process. However, the sheer complexity of the Chrome for Android codebase, which must adapt to legacy devices and low‑memory conditions, often introduces nuanced bugs. The security community will need to pay closer attention to how PWAs handle navigation, intent resolution, and the interaction between the web content and the hosting shell.

What can users do right now?

  1. Update Chrome immediately. Open the Play Store, search for Chrome, and hit Update. If you have automatic updates disabled, enable them for critical apps.
  2. Review installed WebAPKs. While rare, a corrupted WebAPK can be uninstalled and reinstalled from the original PWA after updating Chrome. This ensures a clean state.
  3. Stay skeptical of unexpected logins. If a trusted PWA suddenly asks you to re‑enter credentials, verify the URL (if visible) or close the app and reopen it from the home screen.
  4. Enable Google Play Protect. It scans installed apps for malicious behavior and alerts you to known vulnerabilities.

What should enterprises do?

  • Push mandatory Chrome updates through your EMM console. Set a minimum version to 149.0.7827.53.
  • Audit internal PWAs for any custom schemes or intent filters that could be abused in conjunction with this exploit.
  • Educate employees about the risks of installing PWAs from untrusted sources and the importance of recognizing suspicious behavior even inside “apps.”

Looking ahead

The quick patch for CVE-2026-11127 demonstrates Google’s maturity in handling Chrome vulnerabilities, but it also underscores the relentless cat‑and‑mouse game between security researchers and attackers. As the line between web and native apps blurs, users must recalibrate their mental models: an installed PWA is no more inherently trustworthy than a bookmark.

Google’s forthcoming Privacy Sandbox and WebAPK updates, expected in Chrome 151, promise to introduce additional integrity checks and a more transparent URL‑display policy for installed PWAs. Until then, staying on the latest version remains the single most effective defense.

The discovery of this flaw should serve as a wake‑up call for developers rushing to adopt WebAPKs without thoroughly vetting their navigation logic. A single target="_blank" link without rel="noopener" or a misconfigured service worker can open the door to domain spoofing, regardless of the browser’s built‑in protections. The fix is in the code—both Google’s and yours.