On June 30, 2026, Google disclosed a medium-severity vulnerability in Chrome’s built-in password manager that could allow a remote attacker to siphon saved credentials from other websites you’ve visited. The fix arrives in Chrome 150.0.7871.47, and any earlier version remains exposed. If you rely on Chrome to remember your logins, updating immediately stops a bug that undermines the browser’s origin isolation—the very boundary that keeps your banking passwords separate from, say, a random shopping site.
What the Patch Fixes
CVE-2026-13937 lives in the Passwords component, the engine behind Chrome’s offer to save and autofill credentials. Google’s advisory describes it as a “boundary error” that enables cross-origin data leakage. In plain terms, the password manager mishandled data when deciding which domain’s passwords to reveal. A specially crafted web page—think a malicious link in an email or a compromised ad—could exploit this confusion to read passwords belonging to a completely different site.
Chrome normally quarantines site data strictly: a script on example.com must never touch bank.com’s cookies or stored passwords. This flaw chipped away at that wall. The advisory doesn’t spell out the exact preconditions, but typical cross-origin leaks require the attacker to first lure you to their page and then trigger the boundary slip. The fact that it was discovered internally and patched before active exploitation is the silver lining.
The fix tightens the password manager’s internal checks so that cross-origin data is never exposed, regardless of how the page is structured.
How the Attack Could Unfold
While Google has not released technical specifics—prudent, because many users are still on older versions—we can sketch a likely scenario. You might visit a legitimate site, save a password, and later land on an attacker-controlled page. The attacker’s code interacts with the password manager in a way that confuses it into thinking the current origin is the legitimate one, allowing it to read stored credentials. The stolen data could then be sent to the attacker’s server.
Because the vulnerability resides in the password manager itself, it sidesteps the usual protections of HTTPS and cross-origin policies. The attack doesn’t require breaking encryption or injecting malware—just a boundary slip in Chrome’s own code.
Importantly, the attacker cannot pull all passwords at once; the flaw likely requires targeting specific origins or tricking the user into interacting with the password manager. Still, for anyone with dozens of saved logins, the risk is real.
What It Means for Home Users and IT Admins
For the average home user, the immediate takeaway is straightforward: check your Chrome version and update if you’re below 150.0.7871.47. If you use Chrome’s password manager as your primary vault, you should treat this as urgent, medium severity label notwithstanding. A leaked password can lead to account takeover, identity theft, or financial loss.
Enterprise IT teams face a double burden. First, they need to push the update to all managed Chrome instances—typically via Group Policy, SCCM, or a patch management tool. Second, they must consider whether employees are using Chrome’s built-in password manager for work credentials. Many enterprises discourage this, preferring dedicated password managers that separate secrets from the browser process. This incident may tip the scales for organizations still on the fence.
The bug introduces a particularly thorny risk in shared environments like kiosks, VDI, or remote desktop sessions where one Chrome profile might hold passwords for multiple users. Until patched, any user sharing such a session could potentially exploit the vulnerability.
A Look Back: Chrome Password Manager Vulnerabilities
Chrome’s password manager has had several security hiccups over the years, though none as widely exploited as some third-party tool flaws. In 2023, CVE-2023-2136 allowed a renderer process to potentially read password data under certain conditions. Earlier, CVE-2022-1096 exposed saved passwords to malicious extensions. Each time, Google patched quickly and credited researchers through its Vulnerability Reward Program.
The common thread is complexity. The password manager must parse web forms, detect login fields, and interface with highly variable page markup—all while maintaining a strict origin boundary. That’s a lot of surface area for logic errors. Google has gradually hardened the component, introducing stronger isolate checks and moving sensitive operations to a separate, more restricted process. This latest bug slipped through those defenses.
It’s also worth noting that while medium severity sounds modest, any flaw that touches stored credentials warrants rapid attention. The CVSS score (likely around 5.5–6.5) reflects the complexity of exploitation, not the worst-case impact. For a home user with dozens of saved passwords, the potential damage is high.
How to Update Chrome and Verify the Fix
For most users, updating Chrome takes less than a minute:
- Click the three-dot menu in the top-right corner.
- Choose Help > About Google Chrome.
- The browser will automatically check for updates and install version 150.0.7871.47.
- Relaunch Chrome when prompted.
To verify you’re safe, revisit the About page and confirm the version string says 150.0.7871.47 or higher. If you see a lower number, try restarting Chrome or manually downloading the installer from google.com/chrome.
Enterprise administrators can deploy the MSI package with the latest version. After updating, consider enabling Enhanced Safe Browsing (Settings > Privacy and Security > Security) to get proactive warnings about dangerous sites. This feature doesn’t prevent the bug, but it can help steer users away from pages that attempt exploitation.
What Should You Do Right Now?
Update immediately. That’s the single most effective step. Then, take a moment to audit your saved passwords. If you’ve held onto old credentials for unused sites, purge them. The fewer passwords Chrome stores, the smaller the blast radius if another flaw surfaces.
Consider a dedicated password manager. Tools like Bitwarden, 1Password, or KeePass keep encrypted vaults separate from the browser’s process memory, reducing exposure to this class of bug. Many integrate with Chrome via extensions, but the secret storage isn’t baked into the browser itself.
Be phishing-aware. This vulnerability would most likely be exploited through a link you click. Suspicious emails, unexpected attachments, and too-good-to-be-true offers remain prime vectors. Always hover over links before clicking, and never enter credentials on a page you reached through an email.
Enable automatic updates. Chrome typically updates itself in the background, but some users disable this. Make sure it’s on so you receive security patches without manual intervention.
Outlook
Google will likely release more details on CVE-2026-13937 once most users have upgraded. Expect the Chromium project to harden the password manager’s boundary logic further—perhaps by moving password storage into an even more isolated sandbox. Meanwhile, this incident underscores a growing truth: as browsers evolve into full-fledged operating systems, their attack surface expands. The built-in password manager, while convenient, is a juicy target. Users who value security over ease should weigh the trade-offs carefully.
For now, the fix is a click away. Patch, verify, and stay suspicious of every link.