Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13862

CVE-2026-13862: Chrome iOS Information Disclosure Bug

CVE-2026-13862 is an information disclosure vulnerability in Google Chrome for iOS that allows attackers in privileged network positions to leak cross-origin data. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-13862 Overview

CVE-2026-13862 is an insufficient policy enforcement vulnerability in the Web Authentication (Passkeys & Security Keys) component of Google Chrome on iOS. Versions of Chrome for iOS prior to 150.0.7871.47 fail to enforce cross-origin protections during WebAuthn operations. An attacker in a privileged network position can leverage a crafted HTML page to leak cross-origin data from the browser. Exploitation requires user interaction, such as visiting an attacker-controlled page. Google classified the Chromium security severity as Medium [CWE-693: Protection Mechanism Failure].

Critical Impact

A network-adjacent attacker can leak sensitive cross-origin data tied to passkey and security key authentication flows, undermining the origin isolation guarantees WebAuthn is designed to provide.

Affected Products

  • Google Chrome on iOS prior to 150.0.7871.47
  • Apple iOS (as the underlying platform for Chrome iOS builds)
  • Web Authentication (Passkeys & Security Keys) component

Discovery Timeline

  • 2026-06-30 - CVE-2026-13862 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-13862

Vulnerability Analysis

The defect resides in the Web Authentication implementation shipped with Chrome on iOS. WebAuthn relies on strict origin binding so that credentials registered for one origin cannot be accessed or referenced by another. In affected builds, Chrome for iOS does not consistently enforce the policy checks that mediate cross-origin access during passkey and security key operations. A crafted HTML page can therefore trigger WebAuthn code paths that return or expose data associated with a different origin. The attacker must occupy a privileged network position, meaning they can intercept or manipulate traffic between the victim and legitimate services. User interaction is also required, since the victim must load the crafted page.

Root Cause

The root cause is missing or incomplete enforcement of cross-origin policy inside the WebAuthn subsystem on the iOS build of Chrome. The relevant checks that isolate credential material and related metadata between origins are not applied in every code path, allowing controlled leakage of cross-origin state.

Attack Vector

Exploitation is remote and requires user interaction. An attacker with the ability to observe or influence the victim's network path, such as through a rogue Wi-Fi access point or on-path proxy, serves a crafted HTML page that invokes WebAuthn APIs. The response paths return data that should have been isolated to a different origin, giving the attacker visibility into confidential cross-origin information. See the Chromium Issue Tracker Entry for technical detail.

No verified proof-of-concept code is publicly available for CVE-2026-13862.
Refer to the vendor advisory and Chromium issue tracker for technical specifics.

Detection Methods for CVE-2026-13862

Indicators of Compromise

  • Chrome for iOS clients reporting versions earlier than 150.0.7871.47 in inventory or user-agent telemetry.
  • Unexpected WebAuthn navigator.credentials.get() or create() invocations originating from unfamiliar or newly registered domains.
  • Client sessions traversing untrusted networks (public Wi-Fi, captive portals) immediately before anomalous authentication events.

Detection Strategies

  • Inventory managed and unmanaged iOS devices and flag those running Chrome versions below 150.0.7871.47.
  • Correlate authentication logs from identity providers with client browser version and network origin to spot WebAuthn calls from stale Chrome iOS builds.
  • Inspect proxy and TLS inspection telemetry for HTML payloads that invoke WebAuthn APIs from low-reputation origins.

Monitoring Recommendations

  • Alert on repeated WebAuthn ceremony failures or origin mismatches reported by relying parties.
  • Track browser version drift on mobile fleets and prioritize devices connecting from untrusted networks.
  • Monitor DNS and web proxy logs for newly observed domains serving pages that reference PublicKeyCredential APIs.

How to Mitigate CVE-2026-13862

Immediate Actions Required

  • Update Google Chrome on iOS to version 150.0.7871.47 or later on every managed device.
  • Push the update through mobile device management (MDM) rather than relying on user-initiated updates.
  • Advise users to avoid untrusted Wi-Fi networks until the update is deployed, since exploitation requires a privileged network position.

Patch Information

Google addressed the issue in Chrome for iOS 150.0.7871.47. Details are published in the Google Chrome Update Notification and tracked in the Chromium Issue Tracker Entry. Apply the update through the App Store or enterprise MDM tooling.

Workarounds

  • Where patching is delayed, restrict WebAuthn usage on iOS Chrome by requiring an alternative supported browser for high-value authentication flows.
  • Enforce always-on VPN on managed iOS devices to reduce exposure to on-path attackers.
  • Educate users to verify certificate warnings and avoid interacting with authentication prompts on untrusted networks.
bash
# Example MDM query to identify vulnerable Chrome iOS installs
# (pseudocode - adapt to your MDM platform's query language)
SELECT device_id, user, chrome_version
FROM mobile_inventory
WHERE platform = 'iOS'
  AND app_bundle_id = 'com.google.chrome.ios'
  AND chrome_version < '150.0.7871.47';

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.