CVE-2026-10944: Chrome iOS Autofill Data Leak Vulnerability – Patch Now
A flaw in Google Chrome's autofill feature on iOS could allow an attacker to trick a user into visiting a malicious webpage that extracts sensitive information you've saved in your browser—such as payment details, addresses, or credentials—from other websites you use. The vulnerability requires user interaction (visiting the malicious page) but does not require special system permissions or unusual browser configurations to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10944 stems from insufficient policy enforcement in Chrome's autofill mechanism on iOS. The vulnerability permits a remote attacker to exfiltrate cross-origin data through a specially crafted HTML page. The flaw allows data that should remain isolated to a particular website to be accessed and leaked to an attacker-controlled origin. The issue affects Chrome versions prior to 149.0.7827.53 and is classified under CWE-693 (Improper Restriction of Rendered UI Layers or Frames). Chromium's security team rated this as High severity due to the confidentiality impact and low attack complexity.
Business impact
The primary business risk is credential and payment data exposure. Users who rely on Chrome's autofill to manage credentials across multiple sites face potential account compromise if they visit a malicious page. For organizations whose employees use Chrome on iOS devices for work—particularly those handling customer or internal data—this vulnerability could lead to unauthorized data access, compliance violations, and user trust erosion. The low barrier to exploitation (a simple webpage visit) amplifies the risk profile relative to more complex attack chains.
Affected systems
This vulnerability affects Google Chrome on Apple iOS running versions prior to 149.0.7827.53. It does not impact Chrome on Android, desktop platforms, or other browsers. Affected users are those running older builds of Chrome iOS and visiting untrusted web content. Organizations with iOS-based workforces using Chrome for web applications should prioritize assessment of their deployment versions.
Exploitability
Exploitability is moderate to high in practice. An attacker needs only to craft a malicious HTML page and convince a user to visit it—no network position or elevated privileges required. The attack surface is anyone with Chrome on iOS, making it accessible to opportunistic attackers. However, the vulnerability does require user interaction (clicking a link or visiting the page), which serves as a minor friction point. No public exploit or active in-the-wild campaigns are currently tracked in the Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack vector and the sensitivity of autofill data suggest this could attract attention.
Remediation
Update Google Chrome on iOS to version 149.0.7827.53 or later as soon as possible. Users should verify their current version in Chrome settings (tap your profile icon > Settings > About Chrome) and enable automatic updates. Additionally, consider reviewing and clearing sensitive autofill data (Settings > Autofill and passwords) if you suspect a visit to an untrusted site occurred. For organizations, enforce Chrome version pinning or managed updates via Mobile Device Management (MDM) if available.
Patch guidance
Google has released Chrome 149.0.7827.53 as the fix version. Deployment should prioritize affected iOS devices and users. Because iOS app updates flow through the App Store, users must either enable automatic updates in the App Store settings or manually update the app. Organizations using MDM solutions can leverage managed Chrome deployment to enforce rapid updates. Verify that all Chrome instances on iOS devices are updated; note that some enterprise environments may have deployment delays due to App Store review processes or internal testing procedures.
Detection guidance
Monitor for successful autofill data extraction by examining network logs for unusual cross-origin requests originating from autofill interactions. Endpoint Detection and Response (EDR) on managed iOS devices may flag suspicious data exfiltration patterns. On the application side, review web server logs for atypical access patterns to autofill-sensitive endpoints. Users should monitor linked accounts (email, payment services, etc.) for unauthorized access attempts. If an organization suspects compromise via this vector, credential reset and account activity review are advisable for affected users.
Why prioritize this
Despite a CVSS score of 6.5 (MEDIUM), this vulnerability warrants high-priority attention due to the nature of autofill data (credentials, payment information) and the low attack friction. The vulnerability is not yet tracked in the KEV catalog but poses direct risk to user authentication and financial data. The ease of user-to-attack-surface connection (simply visiting a webpage) and the iOS platform's prevalent use in mobile workforces elevate business risk above the numeric severity alone.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a medium severity rating driven by high confidentiality impact (C:H), network-based attack vector (AV:N), and low attack complexity (AC:L). However, the score is tempered by the requirement for user interaction (UI:R) and no impact on integrity or availability. While the numeric score is moderate, the real-world business impact—potential compromise of stored credentials and payment data—often justifies faster response than the CVSS alone suggests. Organizations should weigh the sensitivity of data their users autofill when determining response urgency.
Frequently asked questions
Can an attacker steal my autofill data without my knowledge?
No. While the vulnerability does require you to visit a malicious webpage, the attacker can craft a page that appears legitimate (e.g., mimicking a login screen or checkout page) to increase the likelihood you'll interact with it. Once on the page, autofill data can be exfiltrated without additional prompts, but the initial visit is necessary.
Does this affect Chrome on Android or desktop?
No. This vulnerability is specific to Chrome on Apple iOS. Chrome on Android, Windows, macOS, and Linux are not affected by CVE-2026-10944.
If I update Chrome, am I protected immediately?
Yes, updating to Chrome 149.0.7827.53 or later patches the vulnerability. On iOS, enable automatic App Store updates in your settings, or manually open the App Store, search for Chrome, and tap 'Update' to receive the fix.
What should I do if I suspect I visited a malicious page before updating?
Review account activity for any of your linked services (email, payment, social media) for unauthorized access. If you spot suspicious activity, change passwords for those accounts immediately. For high-sensitivity accounts, enable additional authentication methods (e.g., two-factor authentication). If your organization was affected, notify your security team for log analysis and potential credential rotation guidance.
This analysis is provided for informational purposes and reflects ground-truth data as of the publication date. CVSS scores, remediation guidance, and affected versions are current as of June 2026. Organizations should verify patch availability and compatibility with their specific Chrome deployment model before applying updates. This vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog. No active exploitation campaigns have been publicly confirmed. Consult official Google Chrome and Apple security advisories for the most up-to-date guidance. SEC.co recommends threat modeling autofill risks specific to your organization's data sensitivity and iOS usage patterns. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10950MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Guide
- CVE-2025-48649HIGHAndroid Local Privilege Escalation via Permission Bypass
- CVE-2025-48652HIGHAndroid MDM Bypass Logic Flaw – HIGH Severity Privilege Escalation
- CVE-2026-0045HIGHAndroid Bluetooth Bonding Bypass Privilege Escalation
- CVE-2026-0077HIGHAndroid ActivityRecord Privilege Escalation Vulnerability
- CVE-2026-0087HIGHAndroid App Link Hijacking via Domain Verification Logic Error
- CVE-2026-0097HIGHAndroid Bluetooth Pairing Logic Error Allows Silent Privilege Escalation
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking