CVE-2026-8874 Overview
CVE-2026-8874 affects version 3.0.7 of the Securly Chrome Extension. The extension downloads JSON files containing crisis alert keywords and content filtering rules over unencrypted HTTP using the Fetch API. Other endpoints in the same extension correctly retrieve Internet Watch Foundation (IWF) and Children's Internet Protection Act (CIPA) data over HTTPS. This inconsistent Transport Layer Security (TLS) implementation exposes sensitive filtering logic to network-based tampering and disclosure.
Critical Impact
An attacker positioned on the network path can intercept or modify crisis alert keywords and filtering rules, undermining the protective intent of the Securly extension for student safety monitoring.
Affected Products
- Securly Chrome Extension version 3.0.7
- Deployments relying on crisis alert keyword fetching
- Deployments relying on filtering rules JSON delivery
Discovery Timeline
- 2026-06-03 - CVE-2026-8874 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-8874
Vulnerability Analysis
The Securly Chrome Extension version 3.0.7 issues Fetch API requests to retrieve JSON configuration files. These files define crisis alert keywords and content filtering rules used by the extension to monitor and restrict student browsing activity. The extension transmits these requests over plaintext HTTP rather than HTTPS.
The same extension fetches IWF and CIPA datasets over HTTPS. This inconsistency confirms the issue is implementation oversight rather than an environmental constraint. The plaintext channel exposes the configuration payload to any network observer.
An adversary with network position can read the keyword and rule sets in transit. A more active adversary can rewrite the JSON response to remove keywords, disable rules, or inject content that alters extension behavior. The vulnerability falls under the Man-in-the-Middle and Insecure Communication categories.
Root Cause
The root cause is inconsistent enforcement of TLS across Fetch API calls within the extension codebase. Specific endpoints serving crisis alert keywords and filtering rules use http:// URLs instead of https://. No transport-layer integrity or confidentiality protections apply to those responses.
Attack Vector
An attacker on the same network as a target device, or anywhere on the path between the device and the Securly backend, can perform a Man-in-the-Middle attack. Public Wi-Fi, compromised routers, and ARP or DNS spoofing on local networks all provide sufficient position. The attacker intercepts the HTTP request and returns crafted JSON, which the extension consumes as authoritative filtering configuration.
No verified proof-of-concept code is available. Refer to the CERT Vulnerability Advisory #595768 for technical details.
Detection Methods for CVE-2026-8874
Indicators of Compromise
- Outbound HTTP requests from Chrome to Securly endpoints serving JSON crisis alert or filtering content
- Unexpected modifications to in-memory filtering rule sets following network transit
- Mismatch between Securly server-side rule versions and the rules applied on the endpoint
Detection Strategies
- Inspect proxy and firewall logs for plaintext HTTP traffic originating from the Securly extension process
- Compare cryptographic hashes of fetched JSON payloads against known-good baselines provided by Securly
- Alert on TLS downgrade patterns where the same client uses HTTPS for IWF and CIPA endpoints but HTTP for keyword and rule endpoints
Monitoring Recommendations
- Enable full network telemetry collection on managed endpoints running the Securly Chrome Extension
- Monitor browser process network activity for cleartext HTTP destined to Securly infrastructure
- Correlate extension version inventory with network telemetry to identify devices still running 3.0.7
How to Mitigate CVE-2026-8874
Immediate Actions Required
- Identify all managed devices running Securly Chrome Extension version 3.0.7 through endpoint inventory
- Contact Securly to confirm availability of a patched version that fetches all configuration data over HTTPS
- Restrict student device usage on untrusted networks until a fixed extension version is deployed
Patch Information
No vendor patch reference is included in the published NVD record at this time. Consult the CERT Vulnerability Advisory #595768 and Securly support channels for the latest fixed release.
Workarounds
- Force extension traffic through an inspecting proxy that blocks plaintext HTTP to Securly endpoints and surfaces the failures for triage
- Enforce HTTPS-only browsing policy via Chrome enterprise configuration to prevent insecure Fetch API calls from succeeding
- Limit deployment of the affected extension to networks where path integrity is verified until a TLS-consistent build is released
# Example Chrome enterprise policy enforcing HTTPS-only mode
# /etc/opt/chrome/policies/managed/https_only.json
{
"HttpsOnlyMode": "force_enabled",
"ExtensionInstallBlocklist": ["<securly_extension_id_if_unpatched>"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
