{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5892", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:40.655Z", "datePublished": "2026-04-08T21:20:54.153Z", "dateUpdated": "2026-04-08T21:20:54.153Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:54.153Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/487568011"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5892", "lastModified": "2026-04-08T22:16:29.083", "metrics": {}, "published": "2026-04-08T22:16:29.083", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/487568011"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:58:49.701623+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or newer", "Verify the update by navigating to chrome://settings/help", "If an update cannot be applied immediately, enforce an enterprise policy that blocks PWA installation until the fix is installed", "Stay informed by monitoring Chrome release notes for future security patches"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized PWA Installation"}, "threat_synthesis": {"affected_systems": "All desktop installations of Google Chrome older than version 147.0.7727.55 are affected. This includes Windows, macOS, and Linux builds of the stable channel. The vendor\u2019s update notes confirm that the patch applies universally across these platforms.", "description_and_impact": "Insufficient enforcement of policy within the progressive web app subsystem of Google Chrome allows an attacker who has already compromised the renderer process to bypass user confirmation and install a progressive web app through a crafted HTML page. The installed app can then run with the privileges of the user\u2019s profile, enabling disclosure or modification of local data and potentially acting as a vector for further exploitation. The weakness is a form of improper access control, identified as CWE\u2011284.", "risk_and_exploitability": "Chromium classifies the vulnerability as medium severity. Exploitation requires the attacker to first compromise the renderer process, typically through a separate web\u2011based exploit that gains sufficient access. Until the browser is updated, the likelihood of successful exploitation remains low, but the impact, if achieved, could be significant for the compromised user. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS score is available."}}}}, "created": "2026-04-09T08:17:00.402646+00:00", "title": "Insufficient Policy Enforcement Enables Unauthorized PWA Installation", "updated": "2026-04-09T08:26:26.570652+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-284"]}