Google patched a medium-severity security hole in Chrome for iOS on Wednesday that could let attackers trick users into leaking sensitive form data across different websites. The fix ships in version 150.0.7871.47, and anyone who browses with Chrome on an iPhone or iPad should install it immediately.

The vulnerability at a glance

CVE-2026-13913 is a flaw in the way Chrome’s Autofill feature enforces origin isolation on iOS. Under certain conditions, a crafted webpage can persuade a user to trigger Autofill in a way that sends data meant for Site A to Site B without the user realizing it. The attack requires the user to take an action – clicking a button or tapping into a field – but no malware or device compromise is needed. Google’s advisory assigns the bug a “Medium” severity rating, a label that can mask the real-world damage when credit card numbers, addresses, or login credentials are siphoned across origins.

The root cause sits in the policy layer that governs how Autofill suggestions are bound to web origins. Chrome on iOS was not consistently enforcing that autofilled values be delivered only to the origin that originally stored them. An attacker who lures a victim to a malicious page could, for example, present a form that looks like a shipping address update but actually exfiltrates the data to a different domain. The fix tightens those origin checks so that Autofill data cannot cross boundaries even when a user is socially engineered.

What actually changed in version 150.0.7871.47

Apple’s App Store began rolling out Chrome 150.0.7871.47 late on March 26, 2026. The release notes are sparse, as usual for security updates, but the Chromium bug tracker confirms a single patch for CVE-2026-13913. No other fixes are bundled in this point release. The update is available for all iPhones and iPads running iOS 16 or later.

Technically, the patch introduces stricter validation inside the AutofillAgent component on iOS. When Chrome determines which autofill profile to suggest, it now compares the full origin – scheme, host, and port – of the current page with the origin that originally saved the data. Previously, the comparison was less rigorous, allowing a subdomain or related domain to inherit suggestions it shouldn’t have. This change aligns iOS behavior more closely with Chrome on desktop and Android, where similar protections already existed.

What it means for you

The direct blast radius is iPhones and iPads, but the ripple effects reach into Windows-centric workflows, especially for anyone who manages a mixed-device fleet or relies on Chrome Sync.

For everyday Windows users

If you have an iPhone or iPad that you use for personal browsing, updating Chrome is a straightforward one-tap affair in the App Store. The bigger concern is data sync. Chrome Sync ties your Autofill entries – credit cards, addresses, passwords – across all devices where you sign in. A cross-origin leak on your iPhone could expose credentials that also unlock accounts on your Windows PC. The stolen data itself isn’t platform-specific; a credit card number is just as valuable regardless of where it was taken.

For IT administrators and MDM shops

Organizations that manage corporate iOS devices through Microsoft Intune, VMware Workspace ONE, or another MDM platform need to push this update quickly. A medium-severity bug that requires user interaction might not trip every automated triage rule, but the attack surface is real: a single spear-phishing link sent to an employee’s iPhone could harvest Autofill data that includes corporate credentials, VPN tokens, or stored payment methods used for expense systems. Intune admins can enforce a minimum app version for Chrome through app protection policies, and this CVE warrants raising that floor to 150.0.7871.47 immediately.

For developers and cross-platform teams

If you build web applications that rely on Autofill, especially for checkout flows or identity verification, this episode is a reminder to test against origin isolation edge cases. While Chrome’s fix addresses the browser side, defensive input validation on your own forms can add another layer of protection. Check that your site’s autocomplete attributes are correctly scoped and that you aren’t inadvertently trusting client-side hints.

How we got here

Autofill has been a fertile ground for browser vulnerabilities over the past several years. In 2024, Safari patched a similar cross-origin flaw that leaked email addresses via AutoFill. Chrome on desktop saw its own medium-severity origin bypass in early 2025, tracked as CVE-2025-1111. The common thread: as browsers add more smarts to fill forms seamlessly, the complexity of the policy engine grows, and with it the number of edge cases where isolation can break.

Chrome for iOS operates under Apple’s WebKit requirement, meaning it uses the same rendering engine as Safari. However, its Autofill logic is Google’s own, layered on top. That hybrid architecture has historically led to bugs that don’t appear in desktop Chrome or Safari. CVE-2026-13913 is one of those platform-specific gaps. Google’s security team caught it through internal fuzzing, not an external report, which suggests it was found before any active exploitation.

For Windows users, the timeline matters because Chrome Sync can silently propagate bad data before a user realizes anything is wrong. If an attacker managed to poison an Autofill entry through this bug, that corrupted entry would then appear on the user’s Windows desktop when they next browse a relevant site. Google has not indicated whether any such sync-based attacks were possible, but the theoretical link exists.

What to do right now

  1. Update Chrome on every iPhone and iPad you own or manage. Open the App Store, tap your profile icon, scroll to Chrome, and tap Update. If you don’t see version 150.0.7871.47, pull down to refresh. The update is immediate and doesn’t require a device restart.

  2. Check your Chrome Sync settings. On your Windows desktop, open Chrome, click your profile picture, and go to chrome://settings/syncSetup. Verify that “Autofill” is toggled on only if you truly need cross-device form filling. If you’ve been using a password manager with its own browser extension, consider disabling Chrome’s built-in Autofill entirely for an added air gap.

  3. IT admins: enforce the minimum version via MDM. In Microsoft Intune, navigate to Apps > App protection policies or App configuration policies for iOS, locate Chrome, and set the minimum app version to 150.0.7871.47. Test the policy on a pilot group first, but aim for broad rollout within 24 hours. For other MDM platforms, the equivalent setting is typically under “Managed App” or “Required App Version.”

  4. Harden your web forms. If you run a site that handles sensitive input, audit your CORS headers and autocomplete attributes. A correct crossorigin policy and explicit autocomplete tokens can prevent the browser from offering suggestions in inappropriate contexts, reducing the chance that a residual flaw affects your users.

  5. Stay alert for targeted phishing. The attack described in the CVE requires persuasion. In practice, that means a well-crafted email or text message luring someone to a clone site that looks legitimate. Brief your users – especially those with access to financial or identity systems – to be extra cautious about unexpected form-filling prompts, even on sites that appear genuine.

Outlook

Cross-platform ecosystem bugs are becoming the norm. A flaw in Chrome for iOS can ricochet into a Windows environment within minutes thanks to sync. Microsoft’s own Edge browser increasingly shares Chromium DNA with Chrome, meaning a future Autofill vulnerability might not be confined to a single operating system. For now, the immediate task is simple: get Chrome for iOS updated, and use the opportunity to review how autofill data flows across the devices in your life. Google has not disclosed any active exploitation of CVE-2026-13913, but the window between patch release and attacker reverse-engineering is famously short. Don’t wait.