Google has rushed out a security patch for a high-severity vulnerability in Chrome’s StorageAccessAPI that could let a remote attacker read sensitive data from any website you’re logged into. The fix, bundled in version 150.0.7871.47, landed on June 30, 2026, and addresses a policy-enforcement flaw that essentially neuters a key privacy barrier between websites.
This isn’t theoretical. A malicious page can craft requests that bypass the API’s intended gatekeeping, reading cookies, local storage, and even session tokens from other origins — all without any user interaction or prompt. The bottom line: if you’re running Chrome on Windows (or any desktop OS) and you haven’t updated yet, every site you’re signed into is potentially exposed.
What Actually Changed
The StorageAccessAPI is a browser mechanism that lets embedded cross-site content (like a third-party login widget) request access to its own first-party storage when it would otherwise be blocked by the browser’s anti-tracking settings. Normally, the browser mediates this carefully — the user has to interact with the embedded frame, and the browser enforces rules about which sites can ask and when.
CVE-2026-14156 is a flaw in that mediation layer. According to Google’s advisory, an attacker can craft an HTML document that confuses the browser into granting storage access without user gesture, and worse, can grant access to storage that doesn’t belong to the requesting origin. In plain terms: visit a booby-trapped page on evil.com, and it might silently read your cookies from bank.example if you’re logged in there in another tab.
The vulnerability was assigned a CVSS v3.1 score of 8.3 (High), with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. Network-exploitable, low complexity, no privileges, requires user interaction (clicking a link or opening a page), and it can lead to high confidentiality and integrity impacts. Google’s advisory marks it as a Type Confusion in the V8 JavaScript engine’s implementation of the API, which allowed the policy bypass.
The patched version — 150.0.7871.47 for desktop — contains the rewritten checks. The update also rolls out gradually to Android and iOS, but on Windows, Mac, and Linux the update is available immediately through the browser’s built-in updater.
What It Means for You
For everyday Windows users
If you use Chrome as your daily driver, close it and reopen it. Seriously. Chrome updates silently in the background, but the patch only applies after a full restart. Click the three-dot menu → Help → About Google Chrome; if the version is 150.0.7871.47 or higher, you’re safe. If not, the updater will pull the new build and prompt you to relaunch.
Pay extra attention if you use Chrome for work accounts, banking, or anything where session theft would be catastrophic. An attacker could steal active session cookies and impersonate you on those services, potentially bypassing multi-factor authentication if it’s not required for every login. Given the low complexity, expect phishing campaigns to weaponize this quickly.
For IT admins
If you manage Chrome via Group Policy or enterprise deployment tools, push the update immediately. The MSI installer for version 150.0.7871.47 is available on the Chrome Enterprise download page. Use Google Update group policies to force an update within your maintenance window. Verify with your endpoint management console that all managed devices have picked up the new build.
Patch management scanners like Qualys, Tenable, and Rapid7 already have CPE definitions for this CVE — look for entries matching cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with versions less than 150.0.7871.47. If you use Microsoft Defender for Endpoint, the vulnerability assessment blade should flag unpatched Chrome instances within hours.
A word about Chromium-based browsers: Edge, Brave, Opera, Vivaldi, and others typically incorporate upstream Chromium fixes on their own cadence. At time of writing, Microsoft Edge (version 150.0.7871.x) has already shipped the fix; check your browser’s specific release notes for confirmation.
For developers
If you’re building web apps that use the StorageAccessAPI — think embedded widgets, cross-origin iframes for authentication, or third-party payment UIs — audit your reliance on the API. The fix does not change the API’s surface; your existing calls to document.requestStorageAccess() will continue to work. However, this episode highlights how fragile cross-origin trust is. Tighten your Content Security Policy (CSP) headers to limit which origins can frame your content, and consider moving away from cookie-based sessions if possible.
Furthermore, scan your server logs for unusual patterns of cross-origin storage access in the days leading up to the patch. Any anomaly could indicate exploitation attempts. Chrome’s Developer Tools can simulate the attack pattern if you need to test your own defenses.
How We Got Here
The StorageAccessAPI first appeared in Chrome 77 (2019) as a response to ITP (Intelligent Tracking Prevention) in Safari. Its goal was to restore legitimate functionality — like showing a user who’s logged into a widget — while still blocking covert tracking. Over the years, it grew more complex, with incremental changes in Chrome 86, 101, and 120 to address edge cases.
CVE-2026-14156 isn’t the first time a browser’s storage isolation has broken. In 2020, Safari had a similar bug where ITP could be bypassed via a redirect chain. In 2023, a Chromium flaw (CVE-2023-7024) allowed tabs to access other tabs’ WebSQL databases. The common thread: the browser becomes a de facto operating system, and cross-origin isolation is hard.
Google’s Vulnerability Reward Program paid a researcher $15,000 for reporting this issue in early June 2026, under the “secure by default” track. The rapid turnaround — less than four weeks from internal confirmation to stable release — underscores the severity. The Chromium team classified it as “security_severity:High” and fast-tracked the merge to the release branch.
What to Do Now
- Update Chrome now. Click the three-dot menu, Help, About Google Chrome. Let it download and relaunch.
- Restart your browser. This is critical; the update is not applied until you restart. Save your work and close all Chrome windows.
- Verify the version. Confirm you’re on 150.0.7871.47 or later. If you see a lower build, something went wrong — try again or download the installer directly from google.com/chrome.
- For enterprises: push the latest MSI via your software deployment system, and consider forcing a restart of Chrome processes on managed endpoints. Update your vulnerability scanner definitions to detect CVE-2026-14156.
- Clear site data (optional but prudent). If you suspect you might have visited a malicious page, go to
chrome://settings/clearBrowserDataand clear “Cookies and other site data” for the past 24 hours. This invalidates any stolen session tokens — you’ll be logged out everywhere, but it’s a safe reset. - Keep an eye on credential health. Monitor your critical accounts for suspicious logins. Password managers can flag compromised passwords.
Outlook
Google has not disclosed any active exploitation in the wild as of July 1, 2026. But with every hour that passes, the race narrows. Historically, high-severity Chrome bugs see weaponization within days of public disclosure, especially those involving data theft rather than simple crashes. Expect proof-of-concept code to surface on GitHub and exploit kits to integrate it swiftly.
The next Chrome Stable release is scheduled for July 8; it will bundle additional security fixes, but don’t wait for that. The fix for CVE-2026-14156 is in the wild now, and attackers are already reverse-engineering the diff.
For Windows enterprise shops, this is a good moment to review your browser update policies. Chrome’s automatic updates are effective, but they’re no substitute for formal endpoint management. The gap between a zero-hour patch and wide deployment can be exploited. Treat this as a fire drill for the next one — because there will always be a next one.