CVE-2026-5898 Overview
CVE-2026-5898 is a user interface spoofing vulnerability in the Omnibox component of Google Chrome on iOS prior to version 147.0.7727.55. The flaw allows a remote attacker to manipulate the address bar through a crafted HTML page, presenting misleading security indicators to users. The issue is classified under CWE-451: User Interface (UI) Misrepresentation of Critical Information. Chromium rates the underlying issue as Low severity, while NVD assigns a medium CVSS score reflecting the user-interaction requirement and limited integrity impact. Successful exploitation can support phishing campaigns by disguising the true origin of malicious content.
Critical Impact
Attackers can spoof the Omnibox URL display to impersonate trusted domains, increasing the success rate of credential phishing and social engineering against Chrome iOS users.
Affected Products
- Google Chrome for iOS versions prior to 147.0.7727.55
- Chrome desktop builds referenced in the Google stable channel advisory
- Devices running Chrome where the Omnibox renders attacker-controlled HTML content
Discovery Timeline
- 2026-04-08 - CVE-2026-5898 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5898
Vulnerability Analysis
The vulnerability resides in the Omnibox, the combined address and search bar in Google Chrome on iOS. The Omnibox is the primary trust indicator users rely on to verify the origin of web content. When the Omnibox incorrectly displays URL information based on attacker-supplied HTML, users lose the ability to distinguish legitimate sites from malicious ones. The defect maps to [CWE-451], which covers cases where security-relevant information is misrepresented in the user interface. Exploitation requires user interaction, typically navigation to a crafted page, but does not require authentication or elevated privileges on the target device.
Root Cause
The root cause is incorrect handling of URL rendering logic in the iOS implementation of Chrome's Omnibox. The component fails to consistently reflect the true origin of the loaded resource when a crafted HTML page manipulates navigation state. As a result, the displayed URL diverges from the actual document origin. Google's Chromium issue tracker entry issue 470295118 documents the underlying defect.
Attack Vector
An attacker hosts a crafted HTML page and lures the victim to visit it through phishing, malvertising, or a compromised site. Once loaded, the page manipulates browser navigation or document state to cause the Omnibox to display a URL belonging to a different, trusted origin. The user then sees what appears to be a legitimate domain, while the rendered content is attacker-controlled. The attacker can use this discrepancy to harvest credentials, distribute malware disguised as trusted downloads, or impersonate banking and enterprise login portals. No verified public proof-of-concept code is currently available for this issue.
Detection Methods for CVE-2026-5898
Indicators of Compromise
- Outbound traffic from mobile devices to newly registered or low-reputation domains hosting login-style HTML pages
- Browser telemetry showing Chrome iOS versions below 147.0.7727.55 in active use
- User reports of address bars displaying familiar brand URLs alongside unfamiliar page content or certificate warnings
Detection Strategies
- Inventory mobile endpoints and identify devices running Chrome iOS versions earlier than 147.0.7727.55 via MDM compliance queries
- Monitor web proxy and DNS logs for navigation patterns consistent with phishing kits that target Chrome iOS users
- Correlate user-reported phishing incidents with the Chrome version metadata captured by identity providers during authentication
Monitoring Recommendations
- Track Chrome release announcements from the Google Chrome stable channel update to confirm patched versions in your fleet
- Alert on credential submissions to domains that do not match the referrer indicated by browser telemetry
- Forward mobile browser logs and authentication events into a centralized data lake to support cross-source correlation of spoofing attempts
How to Mitigate CVE-2026-5898
Immediate Actions Required
- Update Google Chrome on iOS to version 147.0.7727.55 or later through the Apple App Store
- Push the update through Mobile Device Management (MDM) policies to enforce installation on managed iOS devices
- Remind users that the address bar can be manipulated on unpatched builds and to verify URLs by tapping into the site information panel
Patch Information
Google addressed the issue in Chrome for iOS 147.0.7727.55. Details are published in the Google Chrome stable channel update announcement, and the underlying defect is tracked in the Chromium issue tracker entry 470295118. Apply the update across all iOS devices that have Chrome installed, including BYOD endpoints accessing corporate resources.
Workarounds
- Use an alternative browser on iOS until the Chrome update is deployed across managed devices
- Enforce phishing-resistant authentication such as FIDO2 or platform passkeys so spoofed URLs cannot lead to credential capture
- Deploy DNS and web filtering on mobile networks to block known phishing infrastructure that commonly abuses UI spoofing flaws
# Verify Chrome iOS version compliance via MDM query (example)
# Replace with the syntax used by your MDM platform (Intune, Jamf, Workspace ONE)
mdm query --app com.google.chrome.ios --field CFBundleShortVersionString --min 147.0.7727.55
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
