MEDIUM 6.5

CVE-2026-10950: Chrome iOS Autofill Data Leak Vulnerability – Patch Guide

Google Chrome on iOS has a flaw in how it enforces security policies for the autofill feature. An attacker can trick a user into visiting a specially crafted webpage that leaks sensitive data from other websites the user has visited or logged into. The vulnerability requires user interaction (clicking or visiting a malicious link) but doesn't require any special browser configuration or authentication bypass. It affects Chrome versions before 149.0.7827.53 on iOS devices.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-693
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10950 involves insufficient policy enforcement in Chrome's autofill mechanism on iOS. The vulnerability stems from inadequate isolation of autofill data across security boundaries, categorized under CWE-693 (Improper Control of Dynamically-Managed Code Resources). An attacker-controlled webpage can extract autofill information—such as saved credentials, form data, or other sensitive fields—from cross-origin contexts where that data should be restricted. The flaw is triggered through crafted HTML and exploited with network-level access; no local privilege or prior compromise is required. Chromium's internal security assessment rated this as High severity.

Business impact

The leakage of cross-origin autofill data creates a credential and personal information exposure risk. Users may have payment details, usernames, email addresses, or other sensitive autofill entries stolen without their knowledge. For enterprises managing iOS devices and relying on Chrome for work tasks, this could enable phishing follow-ups, account takeover chains, or theft of corporate data inadvertently stored in autofill. The requirement for user interaction limits the attack surface to scenarios where users visit untrusted sites, but the prevalence of social engineering makes this a realistic threat vector.

Affected systems

All iOS users running Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability does not impact Chrome on Android, macOS, Windows, Linux, or other platforms—it is specific to the iOS implementation. Any iPhone or iPad user with an older Chrome version installed is susceptible if they visit a crafted malicious webpage.

Exploitability

Exploitability is moderate. An attacker must host a malicious webpage and convince or trick a user into visiting it (via phishing, ads, or social engineering). The attack surface is broad because users often click links in emails, messages, or social media without verification. However, the attack does not work against a user who never visits untrusted sites or who restricts Chrome use. No special network position, user privileges, or advanced technical setup is required on the attacker side. The CVSS 3.1 score of 6.5 (MEDIUM) reflects this balance: high confidentiality impact and low attack complexity, but mandatory user interaction.

Remediation

Users should update Google Chrome on iOS to version 149.0.7827.53 or later. iPhone and iPad owners can do this through the App Store by opening the Updates tab, finding Chrome, and installing the latest version if not already automatic. Enterprise administrators managing iOS devices through MDM solutions should push Chrome updates as a priority and verify deployment completion. Users concerned about autofill security can also disable autofill in Chrome settings (Settings > Passwords and security > Autofill) as a temporary measure, though this reduces usability.

Patch guidance

Google has released the fix in Chrome 149.0.7827.53 for iOS. Users should check the App Store for the latest version; most modern iOS setups have automatic app updates enabled by default. Administrators should verify that managed devices are running this version or later through their MDM console. No workarounds or interim mitigations from Google have been published; patching is the primary remediation. Users on older iOS versions that no longer receive Chrome updates should consider upgrading their device OS if possible.

Detection guidance

Detecting exploitation in real-time is difficult because the attack leverages normal browser behavior (autofill) and standard HTML rendering. Organizations can monitor for suspicious redirect chains, unusual cross-origin data exfiltration attempts, or user reports of unexpected credential compromises after visiting certain sites. Endpoint detection and response (EDR) tools may flag unusual subprocess spawning or data access patterns if autofill data is being extracted programmatically. Security teams should also track Chrome version inventory on managed iOS devices to identify endpoints still running vulnerable versions. User education about phishing and untrusted sites remains a key preventive control.

Why prioritize this

Although this vulnerability carries a MEDIUM CVSS score and is not listed on CISA's Known Exploited Vulnerabilities catalog, it merits timely patching because it directly threatens user credentials and personal data. The ease of user-level exploitation (a simple visit to a malicious site) and the broad user base of Chrome on iOS make this a practical risk. Organizations with iOS device fleets or BYOD policies should treat this as a standard-priority update, not an emergency, but should not delay—many users will not self-update promptly without nudging.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a Medium severity rating based on: Attack Vector Network (the flaw is remotely exploitable), Attack Complexity Low (no special conditions needed beyond the malicious page), Privileges Required None (no prior access needed), User Interaction Required (user must visit the site), Scope Unchanged (impact is limited to the affected user's confidentiality, not system integrity or availability), Confidentiality Impact High (autofill data is fully disclosed), Integrity Impact None (no data modification), and Availability Impact None (no denial of service). The gap between Chromium's internal High rating and the CVSS Medium reflects Chromium's use of a different methodology; CVSS is conservative about availability and integrity, whereas Chromium may weigh credential exposure more heavily.

Frequently asked questions

Can this vulnerability be exploited if I don't use autofill in Chrome?

If autofill is disabled, the attack cannot extract autofill data. However, if autofill has ever been enabled and data was saved—even if you turn it off later—it may still be at risk during a brief window before it is cleared. To be safe, disable autofill if you do not use it, and verify it is off in Chrome settings under Passwords and security.

Does updating to Chrome 149.0.7827.53 on iOS fully resolve the vulnerability?

Yes, updating to version 149.0.7827.53 or any later version patches the insufficient policy enforcement flaw. Ensure you verify the version number in Chrome's About section (Settings > About Chrome) after updating, as auto-updates may lag on some devices.

Is this vulnerability being actively exploited in the wild?

As of the publication date, this vulnerability is not on CISA's Known Exploited Vulnerabilities list, meaning no widespread active exploitation has been publicly documented. However, the relative ease of attack means organizations should not assume it will remain unexploited indefinitely. Patching should proceed on a standard timeline, not an emergency one, unless new exploitation evidence emerges.

Does this affect Chrome on Android or other platforms?

No. This vulnerability is specific to Chrome on iOS. Chrome on Android, macOS, Windows, and Linux may have their own autofill policies and implementations. If you use Chrome on multiple platforms, you only need to update the iOS version to fix this issue. Check each platform independently for other security updates.

This analysis is provided for informational purposes and reflects publicly disclosed information as of the date published. CVSS scores, affected versions, and patch guidance are based on official sources and should be verified against the vendor's advisory before implementing remediation. Exploit code and proof-of-concept details are not included. Organizations should assess this vulnerability in the context of their own risk profile, threat landscape, and compliance obligations. No warranty is given that this information is complete, accurate, or current; always consult official vendor guidance and your security team before taking action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).