CVE-2026-5892 Overview
CVE-2026-5892 is a policy enforcement vulnerability in Progressive Web Apps (PWAs) within Google Chrome prior to version 147.0.7727.55. This security flaw allows a remote attacker who has already compromised the renderer process to install a PWA without obtaining user consent by leveraging a crafted HTML page.
Critical Impact
Attackers who have compromised Chrome's renderer process can silently install Progressive Web Apps without user interaction or consent, potentially enabling persistent access, credential theft, or further malicious activities through the installed PWA.
Affected Products
- Google Chrome versions prior to 147.0.7727.55
- Chromium-based browsers using affected PWA implementation
- All desktop platforms running vulnerable Chrome versions
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-5892 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5892
Vulnerability Analysis
This vulnerability represents a policy enforcement bypass in Google Chrome's Progressive Web App installation mechanism. The flaw exists in how Chrome validates and enforces security policies when a PWA installation request originates from a compromised renderer process. Under normal circumstances, PWA installation requires explicit user consent through a browser-mediated prompt. However, this vulnerability allows an attacker who has already gained control of the renderer process to circumvent these consent mechanisms entirely.
The security impact is particularly concerning in attack chains where an initial compromise of the renderer process (through separate vulnerabilities) can be escalated to persistent access via silently installed PWAs. Chromium has classified this vulnerability as Medium severity.
Root Cause
The root cause stems from insufficient policy enforcement in the PWA installation flow within Chrome's architecture. The browser's security boundary between the renderer process and the browser process did not adequately validate that PWA installation requests originated from legitimate user-initiated actions. This allowed a compromised renderer to forge or bypass the user consent verification, enabling unauthorized PWA installations.
Attack Vector
The attack requires the adversary to first compromise Chrome's renderer process through a separate vulnerability or exploit chain. Once renderer compromise is achieved, the attacker can craft malicious HTML content that triggers PWA installation without the normal user consent flow. The crafted HTML page exploits the insufficient policy checks to silently install an attacker-controlled Progressive Web App.
This attack vector is particularly effective because:
- PWAs have significant capabilities including offline access, push notifications, and potential access to device APIs
- Installed PWAs persist across browser sessions, providing long-term access
- Users may not notice unauthorized PWA installations without actively checking their installed applications
The exploitation mechanism leverages the trust boundary weakness between renderer and browser processes. Technical details can be found in the Chromium Issue Tracker Entry.
Detection Methods for CVE-2026-5892
Indicators of Compromise
- Unexpected PWA installations appearing in Chrome's chrome://apps or the operating system's application list
- PWA installations without corresponding user interaction or consent prompts in browser history
- Suspicious renderer process behavior preceding PWA installation events
- Network connections to unexpected origins from newly installed PWAs
Detection Strategies
- Monitor Chrome installation directories for newly created PWA application files without corresponding user activity
- Implement endpoint detection rules to flag PWA installations that occur without preceding user consent dialogs
- Analyze Chrome browser logs for anomalous PWA installation events that bypass normal consent workflows
- Deploy browser telemetry monitoring to detect renderer process compromise indicators followed by PWA activity
Monitoring Recommendations
- Enable enhanced logging for Chrome PWA installation events in enterprise environments
- Implement application whitelisting policies to alert on unauthorized PWA installations
- Monitor for renderer process crashes or unusual behavior that may indicate compromise attempts
- Review Chrome's internal event logs (chrome://webrtc-logs and similar diagnostic pages) for anomalies
How to Mitigate CVE-2026-5892
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.55 or later immediately across all systems
- Audit currently installed PWAs for any unauthorized or suspicious applications
- Review enterprise browser policies to ensure PWA installation restrictions are in place
- Enable SentinelOne browser protection features to detect exploitation attempts
Patch Information
Google has addressed this vulnerability in Chrome version 147.0.7727.55. The fix implements proper policy enforcement to ensure PWA installations cannot bypass user consent even from compromised renderer processes. Organizations should update to this version or later to remediate the vulnerability.
For detailed patch information, refer to the Google Chrome Update Announcement.
Workarounds
- Disable PWA installation entirely through Chrome enterprise policies using WebAppInstallForceList restrictions
- Implement browser isolation solutions to limit renderer process compromise impact
- Use browser enterprise policies to whitelist only approved PWA installations
- Deploy network-level controls to block access to known malicious PWA hosting domains
# Chrome Enterprise Policy - Disable PWA installations
# Add to Chrome policy configuration
{
"WebAppInstallForceList": [],
"DefaultWebAppInstallBehavior": "block"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
