MEDIUM 6.5

CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking

Google Chrome versions before 148.0.7778.216 contain a flaw in how they validate user input within the password-handling component. An attacker can craft a malicious HTML page that, when visited by a user, tricks the browser into displaying fake password prompts or other UI elements that appear legitimate. This is a spoofing attack—the attacker doesn't steal data directly, but deceives users into believing they're interacting with genuine Chrome interface elements, potentially leading them to enter credentials or take other unintended actions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10004 stems from insufficient input validation (CWE-20) in Chrome's password subsystem prior to version 148.0.7778.216. The vulnerability permits a remote, unauthenticated attacker to craft specially designed HTML content that bypasses UI validation controls. When rendered, this content causes the browser to display spoofed UI elements—such as fake password dialogs—without proper origin verification or context isolation. The attack requires user interaction (visiting the malicious page and potentially engaging with the fake UI) but does not require elevated privileges. Chromium assigned this a High severity rating internally, though the resulting CVSS 3.1 score of 6.5 (MEDIUM) reflects the UI-only impact without direct data exfiltration.

Business impact

UI spoofing attacks targeting password prompts pose a credential harvesting risk. Users deceived by convincing fake password dialogs may unknowingly enter their passwords into attacker-controlled contexts, compromising account security even if the underlying browser data is not directly accessed. Organizations relying on Chrome for sensitive workflows—particularly those without additional authentication hardening or user training—face elevated phishing and social engineering risk. The integrity impact is high because users' trust in browser UI is violated, though confidentiality and availability of the system itself remain unaffected by this specific flaw.

Affected systems

Google Chrome versions prior to 148.0.7778.216 on all supported platforms are affected: Microsoft Windows, Apple macOS, and Linux. Any user running an unpatched Chrome browser on these operating systems can encounter this vulnerability when visiting a malicious site. Organizations with Chrome deployed as a primary browser, especially in environments lacking strict browsing controls or endpoint detection, should prioritize inventory and patching.

Exploitability

Exploitation requires a user to visit an attacker-controlled or compromised website; no sophisticated techniques, authentication, or local privilege escalation are needed. The attack vector is network-based and the complexity is low. However, success ultimately depends on user interaction—specifically, the user noticing and engaging with the spoofed UI element. Sophisticated threat actors could combine this with phishing campaigns or watering-hole attacks to increase click-through rates. The absence of KEV (Known Exploited Vulnerabilities) catalog inclusion as of the latest data suggests limited wild exploitation at present, though this should not be interpreted as immunity.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. Chrome auto-updates by default, but users should verify their browser version (chrome://version) and manually check for updates if automatic updates appear delayed. Organizations should enforce Chrome updates via mobile device management (MDM) or endpoint management tools to ensure rapid deployment. No workaround eliminates the vulnerability without patching; risk mitigation during a patching window relies on user awareness training and browsing policy restrictions.

Patch guidance

Google Chrome delivers patches automatically on most platforms. Administrators should verify that auto-update mechanisms are enabled and functional. For managed environments, deploy version 148.0.7778.216 or later through your endpoint management platform. Test the patch in a non-production environment first to confirm compatibility with internal applications and extensions. Chrome typically supports multiple release channels (Stable, Beta, Dev); ensure all in-use channels are updated. Check the official Google Chrome release notes to confirm the fix is included in the version you deploy.

Detection guidance

Monitor for HTML/JavaScript patterns that attempt to overlay or inject UI elements that mimic Chrome's native password dialogs. Network detection can identify attempts to serve malicious HTML payloads from known attacker infrastructure. Endpoint detection should flag processes or scripts attempting unusual DOM manipulation targeting credential input contexts. User education is critical: train staff to verify URLs in the address bar and to recognize subtle differences between native dialogs and web-based spoofs (e.g., web-based elements may not perfectly match platform-specific UI rendering). Log and alert on unusual password manager or credential entry patterns that deviate from normal user behavior.

Why prioritize this

Although the CVSS score is MEDIUM (6.5), the practical risk justifies timely patching. Credential harvesting via UI spoofing is a proven attack vector used in real phishing campaigns. The attack surface is broad—any website visit can trigger exploitation—and Chrome's ubiquity in enterprises means a large target population. The lack of data breach or system compromise in this specific flaw (purely integrity impact to UI trust) places it below critical, but the social engineering and credential compromise pathway makes it a near-term priority. Organizations should treat this as 'high' within their Chrome patching schedule.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects: Attack Vector (Network, highest impact), Attack Complexity (Low, easier to exploit), Privilege Requirement (None), User Interaction (Required, lowers score), Scope (Unchanged), Confidentiality (None directly impacted), Integrity (High—user trust in UI is broken), and Availability (None). The 'High' Chromium severity designation acknowledges the credential risk but is tempered by the need for active user engagement with the spoofed element. The score accurately represents that this is neither a critical remote code execution nor a trivial issue—it sits in the upper-middle range, demanding prompt attention especially in credential-sensitive environments.

Frequently asked questions

Can this vulnerability steal my passwords without any action on my part?

No. This vulnerability allows an attacker to display a fake password dialog that looks like a Chrome dialog, but it does not automatically capture passwords. A user must visit the malicious webpage, see the spoofed prompt, and then enter their password into it. The attack relies on social engineering, not silent data theft.

Does the vulnerability affect Chrome passwords stored in the browser vault?

No. Chrome's stored passwords are not directly accessible via this flaw. The vulnerability is confined to UI spoofing—tricking users into entering credentials into a fake dialog. Your saved passwords remain protected by Chrome's encryption; this attack targets user perception and behavior, not the underlying password storage.

If I have auto-update enabled, am I automatically protected?

Chrome typically auto-updates, but there may be a delay between the patch release and deployment to your device. Verify your current version at chrome://version. If you are below 148.0.7778.216, manually trigger an update via the menu (Settings > About Chrome) to ensure you receive the fix immediately.

Is there any indication that attackers are already exploiting this in the wild?

As of the latest data, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public exploitation. However, the absence of a KEV listing does not guarantee safety—exploitation may be occurring in targeted campaigns without broad visibility. Patching promptly is the best defense.

This analysis is provided for informational and defensive purposes. It is not a substitute for official vendor advisories or guidance from your organization's security team. Verify all patch versions and deployment steps against official Google Chrome release notes and your vendor documentation. While this assessment reflects available data as of the publication date, threat landscape and vulnerability details may evolve; regularly consult official sources for updates. Organizations should conduct their own risk assessments based on their specific environment, user population, and security posture before prioritizing remediation efforts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).