{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5881", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:37.730Z", "datePublished": "2026-04-08T21:20:49.608Z", "dateUpdated": "2026-04-08T21:20:49.608Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Policy bypass"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:49.608Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/454162508"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5881", "lastModified": "2026-04-08T22:16:27.753", "metrics": {}, "published": "2026-04-08T22:16:27.753", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/454162508"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:43:48.110605+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.55 or later. ", "Verify that the Chrome update has been applied on all systems. ", "If managing Chrome via enterprise policy, ensure LocalNetworkAccess restrictions are enforced until the patch is in place. ", "Monitor user reporting of unexpected navigation or local network access. "], "summary": {"action": "Patch Chrome", "impact": "Unauthorized Local Network Access"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of Google Chrome running versions earlier than 147.0.7727.55. The current Chrome stable channel update, version 147.0.7727.55, includes the fix. Users on older releases or custom builds not yet updated are therefore susceptible.", "description_and_impact": "The vulnerability is a policy bypass in the LocalNetworkAccess feature of Google Chrome, which can be triggered by a crafted HTML page. It allows a remote attacker to circumvent navigation restrictions and access local network resources that are normally blocked. This leads to potential confidentiality breaches and could also serve as a foothold for further compromise. The weakness is a form of improper access control (CWE\u2011284).", "risk_and_exploitability": "The vulnerability has a Medium severity score. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. The exploitation pathway typically involves a malicious web page that a user visits, after which Chrome automatically attempts to access local network destinations that are normally restricted. Because the attack requires the user to open the crafted page, the risk depends on user behavior, but the potential impact of local network data exposure makes it a concern for environments with sensitive internal resources."}}}}, "created": "2026-04-09T08:17:21.534519+00:00", "title": "Policy Bypass Enables Unauthorized Local Network Access in Chrome", "updated": "2026-04-09T08:26:45.066031+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-284"]}