On June 30, 2026, Google quietly patched a critical same-origin bypass vulnerability in Chrome’s WebAppInstalls component. Tracked as CVE-2026-13881, the flaw is fixed in Chrome version 150.0.7871.47. If you haven’t updated yet, stop what you’re doing and check your browser right now—this one matters.
What We Know About the June 30 Patch
The stable channel update for Chrome 150 arrived on June 30, 2026, addressing a long list of security fixes. Among them, CVE-2026-13881 stands out: a high-severity issue in WebAppInstalls that allowed a malicious website to bypass the browser’s same-origin policy. Google hasn’t released technical details yet, and the CVE description remains sparse, but the core problem is clear enough. WebAppInstalls is the subsystem that lets sites prompt users to install Progressive Web Apps (PWAs). A bypass here could let an attacker’s site install a PWA or trigger actions that masquerade as coming from a different origin, potentially hijacking web app behavior or exfiltrating sensitive data.
Google labels the fix as a patch for an “insufficient policy enforcement” flaw—a common category that typically means a security check was present but could be circumvented. The company credits an external researcher, though no name has been publicized yet. As is standard practice, full technical disclosure is being withheld while users adopt the update.
Same-Origin Policy: Why This Bypass Is Dangerous
To understand the risk, you need to grasp what same-origin policy (SOP) actually does. It’s a fundamental browser security rule that stops code from one website from reading or modifying data on another. For example, a script on evil.com shouldn’t be able to access your banking session on bank.com. If that wall breaks, attackers can steal cookies, inject scripts, or manipulate your accounts cross-site.
WebAppInstalls complicates this. When you install a PWA from a site, the browser stores a manifest and associated service workers. A SOP bypass in this component could allow a malicious origin to create or tamper with PWA installations for other domains, potentially intercepting data or abusing granted permissions. Since PWAs often have persistent access to storage, cameras, or location, a compromise isn’t theoretical—it could persist silently on your device even after you close the offending tab.
Who’s Affected and What’s at Risk
Chrome is the world’s most popular browser, and this flaw affects all desktop platforms: Windows, macOS, and Linux. Android and iOS users running Chrome-based browsers might also be impacted, though the advisory focuses on desktop. If you haven’t manually updated Chrome, you’re running a build earlier than 150.0.7871.47 and are vulnerable. Chrome typically updates itself automatically, but that process can be delayed by corporate policies, slow networks, or user intervention.
For everyday users, the risk is real but manageable. An attacker would need to lure you to a malicious website while an exploitable version of Chrome is installed. No exploits have been spotted in the wild yet, but the publication of the CVE will attract reverse engineers and attackers seeking to craft one. The clock is ticking.
Businesses and IT administrators face a larger headache. Any unpatched browser inside a corporate network becomes a potential entry point, especially if users have elevated access. Managed Chrome installations that defer updates for testing should treat this as an emergency break-glass scenario.
Web developers who build or maintain PWAs should pay close attention. A bypass in WebAppInstalls could interfere with legitimate installations, leading to user confusion or data corruption. Until full details emerge, it’s wise to monitor your application’s behavior and encourage users to apply the patch.
How We Got Here: Silent Patches and Rapid Response
CVE-2026-13881 follows a familiar pattern in Chrome’s security lifecycle. The Chromium team releases major milestones every four weeks, and each stable channel update includes a batch of vulnerability fixes. High-severity bugs like this one are often patched without fanfare; Google waits until a majority of users have updated before releasing a detailed analysis.
On June 30, the CVE entry was published alongside the Chrome 150 update announcement. The Chrome Releases blog stated that the new version includes “security fixes,” with the usual note that many stem from internal audits and external reports. The lack of a detailed write-up isn’t unusual—it’s a deliberate strategy to minimize the window between disclosure and exploit development.
In recent years, several same-origin bypasses have been disclosed in Chrome and other Chromium-based browsers. Each incident reminds us that SOP is surprisingly brittle, dependent on countless checks scattered across the browser’s codebase. The WebAppInstalls component, added in Chrome 64 and expanded heavily since, integrates with many subsystems, making it a juicy target for researchers.
What to Do Now: Step-by-Step Update Guide
If you’re reading this on a personal machine, stop what you’re doing and update Chrome immediately. Here’s how:
- Open Chrome. Click the three-dot menu in the top-right corner.
- Go to Help > About Google Chrome.
- Chrome will automatically check for updates and start downloading version 150.0.7871.47.
- Once the download finishes, click Relaunch.
- After the relaunch, revisit
chrome://settings/helpto verify the version number.
If you’re an IT administrator managing Chrome across an organization, push the update via your device management tools now. For Windows Active Directory environments, deploy the latest MSI package. For those using Chrome’s Group Policy templates, ensure that background automatic updates haven’t been disabled. Check your fleet’s version distribution and isolate any machines stuck on older builds.
For users who can’t update immediately:
- Avoid clicking links from untrusted sources, especially in emails or chat messages.
- Consider using a different browser temporarily for sensitive tasks like banking or email.
- Disable site-level permissions for PWAs you don’t recognize (go to
chrome://settings/content/siteDetailsand revoke “Install” permissions).
Verify the fix:
Open a new tab and type chrome://version. The “Google Chrome” line should read “150.0.7871.47”. If it doesn’t, repeat the update steps or download the standalone installer from google.com/chrome.
The Bigger Picture: Why You Can’t Ignore Browser Updates
Browsers are the most exposed application on your computer, constantly parsing untrusted code from the internet. A vulnerability like CVE-2026-13881 shows how even a niche component like WebAppInstalls can be weaponized. While we wait for Google’s full postmortem, one lesson stands out: automatic updates are not a luxury. If you’ve ever postponed a Chrome relaunch “until later,” you’ve left the door open for attackers.
Google’s rapid patching cadence remains a model for the industry, but it only works if users adopt updates. The gap between a fix’s release and its universal deployment is where exploits breed. From now on, treat browser updates as critically as you would a smoke alarm battery.
What to Watch Next
Google is expected to release a technical breakdown of CVE-2026-13881 within the next few weeks, possibly with a CWE classification and proof-of-concept details. That will clarify whether the bypass could have been exploited remotely without user interaction, or if it required a more complex attack chain.
Additionally, Microsoft, Apple, and other vendors may issue their own advisories if the flaw extends to other Chromium-derived browsers like Edge and Opera. For now, update your browser and keep an eye on the Chrome Releases blog and the NIST National Vulnerability Database for the full narrative. And next time you see that “Update Chrome” prompt, don’t ignore it.