Chromium Zero-Day: Browser Fetch API Security Bypass
An unpatched security bypass and metadata leakage zero-day has been identified in the Chromium Browser Fetch API, allowing cross-origin attackers to bypass Same-Origin Policy (SOP); this article provides frontend exposure audits and detection scripts.
On this page 0% read
Executive Summary
An unpatched browser security bypass zero-day vulnerability has been disclosed affecting Google Chrome and other Chromium-based browsers (including Microsoft Edge, Brave, and Opera) TechTimes.
The vulnerability involves a fundamental security bypass and metadata leakage flaw inside the Browser Fetch API implementation. Following an accidental public disclosure on the Chromium issue tracker on 2026-05-20, functional proof-of-concept (POC) exploits became widely circulated. If exploited, the flaw enables malicious web applications to bypass the Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) constraints, leaking sensitive access tokens, session headers, and authenticated API payloads to cross-origin attackers. This post details the technical mechanics, risk criteria, and an automated Python code audit script.
Key Facts
vulnerability_id: "Chromium Browser Fetch Leak"
cve: "pending_chromium_assignment"
vendor: "Google"
product: "Chromium Browser Engine"
first_disclosed: "2026-05-20"
vulnerability: "Security bypass and CORS/SOP evasion in Browser Fetch API"
cwe: ["CWE-346", "CWE-200", "CWE-284"]
affected_products: ["Google Chrome", "Microsoft Edge", "Brave", "Opera", "Vivaldi"]
affected_platforms: ["Windows", "macOS", "Linux", "Android", "iOS"]
exploitation_status: "active_exploit_publicly_available"
zero_day_status: "confirmed_unpatched_zero_day"Source Confidence & Evidence Mapping
- confirmed: Accidental public disclosure on the Chromium bug tracker on May 20, 2026, exposes working proof-of-concept exploits for the Fetch API security bypass TechTimes.
- confirmed: Multiple frontend security reports confirm that unpatched Chromium-based browsers leak request headers and API keys during cross-origin fetch operations Malwarebytes.
- unclear: Google and the Chromium project are actively developing an emergency security patch, but a release date remains unconfirmed as of late May 2026.
Impact Determination
| Classification | Criteria | Required evidence | Remediation trigger | Closure condition |
|---|---|---|---|---|
| Confirmed compromise | Web application logs or proxy telemetry show unauthorized cross-origin requests extracting API headers or access tokens via unpatched browser fetch operations. | Network logs or WAF telemetry showing anomalous fetch requests carrying sensitive credentials to unauthorized external domains. | Revoke the exposed session tokens and API keys, and force administrative session termination. | Implement strict credential rotation and verify the deployment of the official browser security patch. |
| Presumed exposed | Development environments or end-user endpoints utilize standard Chromium-based browsers for accessing internal, authenticated API portals. | Configuration audit or browser version scan identifying unpatched Chrome versions < 148.0.7778.180. | Urge users to use non-Chromium fallback browsers or apply strict origin-isolation policies. | Verification shows that Google Chrome has been updated to the fixed security release. |
| Potentially exposed | A network exposes web applications, but user browser versions and API consumption policies are not tracked. | Lack of browser inventory or endpoint agent telemetry. | Run the browser inventory and codebase exposure audit script. | Classify the asset as confirmed compromise, presumed exposed, or not exposed. |
| Not exposed | Users utilize fully patched browsers or non-affected alternative browser engines (e.g. Firefox/Gecko). | Verified endpoint browser inventory showing Firefox or patched Chrome deployments. | None for this zero-day. | Configuration verification artifact is archived. |
Timeline
- 2026-05-20: A Chromium issue tracker entry detailing the Fetch API vulnerability is accidentally made public, sparking immediate exploit circulation TechTimes.
- 2026-05-22: Threat actors publish automated scanner rules to harvest exposed credentials via browser fetch redirection Malwarebytes.
- 2026-05-26: Chromium project continues emergency code reviews to release the security patch.
What Happened
The vulnerability is caused by a logic error in how the Chromium network service handles cross-origin redirects inside the Fetch API. Normally, the Same-Origin Policy prevents a site from reading cross-origin fetch responses unless explicit CORS headers allow it. However, by leveraging nested, redirecting fetch calls with specific header combinations, an attacker-controlled page can force the browser to bypass these checks, leaking the full response body and custom authorization headers of internal APIs directly to the malicious script.
Technical Analysis
The primary flaw lies inside the redirect validation routine. The browser fails to strip or sanitize administrative headers when a cross-origin redirect is processed via custom fetch handlers.
Affected Assets and Blast Radius
asset_selectors:
- "chrome.exe"
- "chrome"
- "chromium"
- "Browser Fetch API"
highest_value_assets:
- "Developer endpoints accessing cloud administration portals via Chrome"
- "Internal corporate web applications relying on browser session credentials"
credentials_and_data_at_risk:
- "Active session cookies and OAuth access tokens"
- "Internal API keys passed via authorization headers"
- "Sensitive database records accessible via authenticated API routes"Indicators And Detection Selectors
vulnerabilities: ["Chromium Browser Fetch Leak"]
telemetry_selectors:
- "fetch"
- "chrome"
- "chromium"
- "CORS"
- "Same-Origin Policy"Detection and Hunting
This hunting script audits frontend project repositories and codebase configuration files to identify insecure CORS/Fetch implementations that could be exploited via unpatched browsers:
#!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path
ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
TELEMETRY_DIR = Path(os.environ.get("TELEMETRY_DIR", "telemetry-export")).resolve()
OUT = Path(os.environ.get("OUT", "hp-chromium-fetch-leak-scope")).resolve()
VULN_ID = "Chromium Browser Fetch Leak"
def read_text(path):
try:
return path.read_text(encoding="utf-8", errors="ignore")
except Exception:
return ""
OUT.mkdir(parents=True, exist_ok=True)
findings = {
"insecure_cors_settings": [],
"exposed_fetch_implementations": []
}
# 1. Audit Insecure CORS configurations in Backend/Configuration Files
# We search for wildcards in Access-Control-Allow-Origin headers or credentials allowed with wildcards
for conf_file in ROOT.rglob("*"):
if not conf_file.is_file() or any(part in {".git", "node_modules", "vendor"} for part in conf_file.parts):
continue
if conf_file.suffix in {".conf", ".json", ".yml", ".yaml", ".js", ".ts", ".py", ".go"}:
content = read_text(conf_file)
# Check for Access-Control-Allow-Origin: *
wildcard_origin = re.search(r"Access-Control-Allow-Origin.*[\"']\*[\"']", content, re.IGNORECASE)
# Check for Allow-Credentials set to true combined with wide origins
credentials_match = re.search(r"Access-Control-Allow-Credentials.*true", content, re.IGNORECASE)
if wildcard_origin or credentials_match:
findings["insecure_cors_settings"].append({
"file": str(conf_file),
"wildcard_origin": bool(wildcard_origin),
"credentials_allowed": bool(credentials_match),
"risk_rating": "Critical" if wildcard_origin and credentials_match else "High",
"remediation": "Restrict Access-Control-Allow-Origin to explicit trusted domains"
})
# 2. Audit Frontend Codebase for Dangerous Custom Fetch Redirect Handlers
# Target: fetch calls using dangerous redirect configuration (e.g. redirect: 'manual' or custom handles)
for js_file in ROOT.rglob("*"):
if not js_file.is_file() or any(part in {".git", "node_modules", "dist"} for part in js_file.parts):
continue
if js_file.suffix in {".js", ".jsx", ".ts", ".tsx", ".html"}:
body = read_text(js_file)
# Search for custom fetch redirect manual handlers
redirect_match = re.search(r"fetch\s*\(.*redirect\s*:\s*[\"']manual[\"']", body, re.IGNORECASE)
# Search for custom headers containing session data passed in client-side fetch calls
headers_match = re.search(r"headers\s*:\s*\{.*authorization|token|x-api-key", body, re.IGNORECASE)
if redirect_match or headers_match:
findings["exposed_fetch_implementations"].append({
"file": str(js_file),
"manual_redirect_handling": bool(redirect_match),
"exposes_sensitive_headers": bool(headers_match),
"remediation": "Ensure redirect validation is strictly enforced server-side"
})
with open(OUT / "findings.json", "w") as f:
json.dump(findings, f, indent=2)
print(f"[{VULN_ID} Audit Complete] Findings saved to: {OUT / 'findings.json'}")Remediation & Credential Rotation Plan
Containment & Mitigation
Since an official patch is still in development:
- Fallback Browser Policy: Advise users and internal administrators to utilize non-Chromium alternative browsers (such as Firefox/Gecko) when accessing highly sensitive internal cloud portals or active administrative panels.
- Restrict CORS Ingress: Review nginx, Apache, and WAF rules to ensure that
Access-Control-Allow-Originwildcards (*) are strictly removed. Implement strict host-header validation on all internal corporate APIs. - Use Short-Lived Tokens: Shorten the lifespan of active API tokens and browser cookies to limit the potential blast radius of leaked authorization headers.
Eradication & Recovery
- Deploy Emergency Patches: As soon as Google releases Chrome version
148.0.7778.180(or higher), mandate immediate upgrades across all endpoint systems. - Rotate Affected Keys: If a developer’s endpoint logs show active requests from unverified external domains using internal tokens, immediately revoke and replace the compromised API keys and active administrative sessions.