External risk intelligence

Chrome for Android WebAppInstalls Local Access Control Bypass.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-13852

The vulnerability requires a local attacker on the device to execute a crafted HTML page, meaning it is not reachable from the public internet. It is a client-side issue affecting an installed application component, requiring physical or local user presence on the device to trigger, rather than being an internet-facing service or network-accessible endpoint.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in a component of Google Chrome on Android, allowing for potential bypass of access controls. This issue could permit unauthorized actions on a user's device if they interact with a malicious web page. The primary concern is to confirm if our organization utilizes the affected technology and if there is any exposure.

  • Local attackers can bypass access controls.
  • Understand potential impact on Android users.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

A local attacker could create a malicious webpage to trick a user into navigating to it. This page would then interact with a vulnerable component in Chrome on Android, allowing the attacker to bypass access restrictions.

  • Local attacker with device access.
  • Navigating to a crafted HTML page.
  • Bypassing access controls.

Live Threat

Current exploitation, exposure, and threat context

A local attacker could bypass access controls on a user's Android device by tricking them into visiting a malicious webpage. This could affect how applications are installed and managed on the device.

  • Application installation data.
  • Local attacker visits a crafted page.
  • Unauthorized application installations.

Operational Fix

Recommended remediation, mitigation, and detection steps

The disclosed vulnerability impacts Google Chrome on Android, specifically the WebAppInstalls component. Given the platform and component, ownership is likely split between the Mobile Application team responsible for Chrome on Android, and the Platform/Infrastructure team managing Android device environments. The first practical step involves identifying all Android devices with the affected Chrome version, assessing the business criticality of those devices, and then coordinating with the relevant application and device owners to plan remediation.

  • Mobile App and Platform teams own this.
  • Verify affected Android devices and Chrome versions.
  • Plan coordinated remediation via maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is WebAppInstalls in Google Chrome on Android?

WebAppInstalls is a component within the Chrome browser designed to manage how web applications are installed and integrated into the Android operating system. It bridges the gap between web content and the device's native app environment, allowing users to 'install' websites so they function more like standalone apps on their mobile devices.

How does CVE-2026-13852 bypass access controls?

This vulnerability is classified as CWE-20, or Improper Input Validation. It occurs because the software fails to properly check data received from untrusted sources. In this case, the flaw allows a crafted HTML page to trick the browser's installation component, enabling an attacker to bypass discretionary access controls that are intended to restrict what actions a web page can perform on the device.

Do I need to be tricked into visiting a page to trigger this bug?

Yes. This vulnerability requires a local attacker to induce a user to navigate to a specifically crafted HTML page. It does not trigger automatically; the malicious code must be executed by the browser on the local device. The vulnerability is not triggered by simply having the application installed or by standard web browsing activity that does not involve the malicious content.

Is my organization at risk from this Chrome vulnerability?

According to Halo Surface Signal, this is very unlikely. The vulnerability is a client-side issue that requires a local attacker to be present on the device, meaning it is not reachable or exploitable from the public internet. It does not present a network-based attack vector against your infrastructure.

How should I respond to CVE-2026-13852?

Your first step is to identify all Android devices in your environment running versions of Chrome on Android prior to 150.0.7871.47. Once the devices are identified, coordinate with your mobile application and device management teams to prioritize updates for those specific units. Maintaining up-to-date software versions is the primary method to address this component-level flaw.

References