Microsoft issued an out-of-band security fix for its Edge browser on July 3, 2026, closing a vulnerability that allowed attackers to spoof website addresses in the address bar. The flaw, tracked as CVE-2026-45489, could be exploited to trick users into entering credentials or downloading malware from what appeared to be a legitimate domain.
The update pushes Edge to build 150.0.4078.48 across Windows, macOS, and Linux. Microsoft rated the vulnerability as medium severity, but security researchers warn that spoofing bugs often serve as a stepping stone for more serious attacks, including phishing and credential theft.
What actually changed
CVE-2026-45489 is a spoofing vulnerability in the Chromium-based Microsoft Edge browser. The flaw resides in how Edge handles certain URL displays and security indicators, potentially allowing a malicious website to present a falsified address in the omnibox. Microsoft’s advisory notes that an attacker could craft a link or page that, when loaded, would show a trusted URL in the address bar while actually serving content from a different, attacker-controlled server.
The technical details remain sparse — Microsoft typically withholds exploit information until after most users have patched — but the advisory confirms that the vulnerability requires user interaction: a victim would need to click a specially crafted link or visit a malicious site. It does not require elevated privileges, and it affects all supported platforms where Edge runs. The fix is delivered via a new Stable channel release, build 150.0.4078.48, which also includes the latest Chromium project updates.
Edge builds prior to this version are considered vulnerable. Microsoft says there is no evidence of active exploitation in the wild, but given that Chromium-based browsers share code, similar bugs often appear in Google Chrome and other derivatives. Google has not yet issued a corresponding CVE for Chrome at the time of writing, but it’s common for such vulnerabilities to be patched collaboratively under the Chromium bug bounty program.
The patch arrived outside of Microsoft’s regular monthly schedule, indicating the urgency of the fix. In fact, it landed just days before the July 2026 Patch Tuesday, suggesting that Microsoft wanted to close the spoofing vector before it could be weaponized widely.
What it means for you
For everyday users, the risk is largely mitigated if you allow Edge to update automatically. Edge downloads and installs security patches silently in the background, but it never hurts to check.
Here’s the practical impact, broken down by audience:
Home users
- The vulnerability could be used in phishing emails or malvertising campaigns. If you clicked a link that led to a page leveraging this flaw, the address bar might show your bank’s URL while the page actually harvested your login data.
- Edge’s built-in Microsoft Defender SmartScreen offers some protection against known phishing sites, but spoofing can bypass superficial visual checks.
- The risk is higher on unpatched systems. If you’ve disabled automatic updates, you’re exposing yourself.
IT administrators
- This is a straightforward patch-management task. Push the update via your usual deployment tools — WSUS, Microsoft Endpoint Configuration Manager, or Intune.
- Because Edge updates independently of Windows, it may not be included in monthly cumulative updates. Ensure your endpoint security policy includes browser updates.
- Monitor your environment for any signs of user credential harvesting or unusual network traffic that could indicate a targeted spoofing attack, though no active exploits have been confirmed.
Developers and site operators
- If you maintain a web application, be aware that your users may be tricked by lookalike domains that exploit this bug. Consider implementing additional authentication factors beyond passwords, such as FIDO2/WebAuthn, to limit the impact of stolen credentials.
- Check that your Content Security Policy headers and certificate transparency logs don’t show any unexpected activity.
How we got here
Microsoft Edge and Google Chrome share the Chromium engine, and spoofing vulnerabilities are a perennial challenge for browser vendors. In the past year alone, several high-profile address-bar spoofing bugs were fixed in Chromium-based browsers, including CVE-2025-1234 (an omnibox spoofing issue patched by Google in March 2026) and CVE-2026-2112 (a similar flaw in Edge’s IE mode reported in April).
CVE-2026-45489 is the latest in a series of user-interface security bugs that play on the trust we place in the browser’s most fundamental security indicator: the address bar. The vulnerability was likely discovered internally by Microsoft or reported by an external researcher through the Microsoft Security Response Center (MSRC) or the Chromium Vulnerability Rewards Program.
The timing of the patch — a Thursday release, just days before the scheduled July Patch Tuesday — points to an accelerated fix cycle. Typically, Microsoft reserves such out-of-band patches for zero-days or bugs with a high risk of imminent exploitation. Although rated medium (CVSS score not yet published), the spoofing category often raises alarm bells because it directly undermines user trust in the primary visual authentication mechanism.
It’s worth noting that Edge’s rapid release cadence means that many users are already on build 150.0.4078.48 or newer by the time you read this. The browser checks for updates every few hours and applies them on restart. However, enterprise environments with managed updates may lag behind.
What to do now
Step 1: Check your Edge version
Click the three-dot menu → Help and feedback → About Microsoft Edge. The browser will automatically check for updates. If you’re not on build 150.0.4078.48 or later, it will begin downloading the patch.
Step 2: Restart the browser
Even after the download completes, you must restart Edge for the update to take effect. Your tabs will be restored, but save any work beforehand.
Step 3: Verify the build number
After restart, go back to About Microsoft Edge and confirm the version string reads 150.0.4078.48 or higher. The patch is cumulative, so any future build above this number is also protected.
Step 4: For administrators — push the update
- For domain-joined machines, use Group Policy to enforce automatic updates and set a minimum version check.
- Microsoft has published the admin template ADMX files that allow you to lock Edge to a specific version channel.
- Deploy via Microsoft Intune: under Apps → Windows → Edge, set the update policy to “Allow updates” and force a sync.
- For air-gapped networks, download the offline installer (MSI) from the Microsoft Edge for Business page and distribute it via your software management solution.
Step 5: Enable enhanced security features
Consider turning on Edge’s “Enhanced security mode” for additional protection against memory-related exploits, though it doesn’t directly address spoofing. Under Settings → Privacy, search and services, enable “Enhance your security on the web” and choose the balanced or strict option.
Step 6: Stay informed
Bookmark the MSRC Security Update Guide and subscribe to RSS feeds for CVEs that affect your environment. For Edge specifically, the release notes page at https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel documents all builds.
Outlook
Spoofing bugs in browsers are not going away. As long as the address bar remains the primary trust anchor, attackers will try to subvert it. Microsoft’s quick out-of-band response suggests a growing recognition that UI-level vulnerabilities can be just as damaging as memory-corruption exploits.
Watch for a possible Google Chrome update in the coming hours or days — if the root cause is in the Chromium codebase, Chrome will need the same fix. Also, keep an eye on the CVE details page for any update on CVSS score and exploitability index; that will tell you how urgently you need to act in enterprise settings.
For now, the best defense remains a simple one: let your browser update itself, and take that extra moment to scrutinize URLs before you type in a password.