External risk intelligence

Chrome for Android WebAppInstalls Access Control Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-13851

The vulnerability requires a local attacker to bypass discretionary access control on the device. Because the attack relies on local access and interaction with the browser's internal file or app installation handling, it is not a scenario involving typical public-internet-facing exposure.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in Google Chrome on Android that could allow a local attacker to bypass access controls through a specially crafted webpage. While the immediate risk appears low due to the requirement for local access, the broader implications for data integrity and application functionality warrant attention.

  • Local attackers can bypass access controls.
  • High severity; confirm relevance and exposure.
  • Understand Chrome on Android security.

Attack Path

How an attacker could exploit the issue

An attacker with local access to an Android device could create a specially crafted HTML page. Opening this page in a vulnerable version of Google Chrome would allow the attacker to bypass the browser's discretionary access controls. This could lead to unauthorized access to or modification of local data.

  • Local device access required.
  • Crafted HTML page triggers bypass.
  • Unauthorized local data access.

Live Threat

Current exploitation, exposure, and threat context

A local attacker could potentially manipulate how the browser handles web app installations on Android devices. This could affect the integrity and availability of the system when interacting with a specially crafted web page.

  • System data integrity.
  • Local attacker bypasses access controls.
  • Unintended web app installation.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Chrome on Android requires local access to exploit, suggesting that direct system owners and potentially mobile device management teams are the most likely to address it. The first practical step is to confirm the presence of the affected Chrome version on managed or sensitive Android devices and assess the potential for local attack vectors.

  • Identify affected Android Chrome installations.
  • Verify local device access and exposure.
  • Coordinate vendor updates and user communication.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the WebAppInstalls component in Google Chrome on Android?

WebAppInstalls is a specialized feature within the Chrome browser on Android that manages the process of adding web-based applications to your device's home screen. It handles the transition from a standard website to an installed web app, ensuring that these applications have appropriate permissions and sandbox boundaries to interact with your device securely.

What does CWE-20 mean for CVE-2026-13851?

CWE-20, or Improper Input Validation, refers to a weakness where software receives input from an outside source but fails to ensure that the data is safe or structured as expected. In the context of this CVE, it means the browser does not properly check a crafted webpage, allowing it to trick the installation system into granting permissions that should be restricted.

How is this vulnerability triggered by an attacker?

An attacker must have physical or local access to the Android device to successfully trigger the bug. They need to lead the user to open a specific, malicious HTML file within the vulnerable version of Chrome. Simply visiting a standard, legitimate website or having the browser installed does not trigger the vulnerability on its own; it requires the interaction with that specific crafted content.

Why does Halo Surface Signal categorize this as unlikely?

Halo Surface Signal assesses this as very unlikely because the exploit is not reachable over the public internet. Because the attack requires the user to already be physically present or have local control of the Android device to load the crafted page, it does not present a remote, network-based threat typical of most internet-facing vulnerabilities.

What should I do if I use Chrome on Android?

Your first step is to verify the version of Chrome currently installed on your Android devices to determine if it is earlier than 150.0.7871.47. If you are running an older version, prioritize updating the browser through the official app store. If you manage multiple devices, ensure your internal mobile device management policies are set to enforce timely updates across your fleet.

References