Google has shipped a fix for a medium-severity security flaw in Chrome’s built-in password manager that could have allowed attackers to trick users into handing over their credentials. The vulnerability, tracked as CVE-2026-13960, was published by the National Vulnerability Database on June 30, 2026, and modified on July 2. All Chrome installations prior to version 150.0.7871.47 are affected, and the update is rolling out now to the Stable channel for Windows, Mac, and Linux.

What the vulnerability actually involved

CVE-2026-13960 sits in the Passwords component of the browser. According to the NVD entry, the weakness permits user interface (UI) spoofing—meaning a malicious webpage could present a fake password prompt that looks identical to Chrome’s legitimate autofill or save-password dialog. If a user fell for the ruse, they would unknowingly type their credentials directly into an attacker’s hands.

Google’s internal severity assessment for this bug is medium, though the company typically withholds full technical details until a majority of users have applied the update. NVD’s advisory does not yet list a CVSS score or attack vector, but “medium” suggests the flaw either requires user interaction, is difficult to exploit at scale, or both. In practice, a successful attack would likely rely on a targeted phishing campaign where a user is lured to a specially crafted site.

The fix landed in Chrome 150.0.7871.47, part of the Stable channel release that went out in late June 2026. The update also includes other security patches that Google is keeping under wraps for now. As is standard, the browser will auto-update for most users over the coming days, but you can force the upgrade immediately if you prefer.

What this means for you

Everyday Windows users

The risk to the average person is low, but not zero. Chrome’s password manager is widely used, and a convincing fake dialog could fool even cautious users. Because the attack requires you to visit a malicious site and interact with the spoofed prompt, it is not something that can be triggered silently in the background. Still, if you reuse passwords across services, a single stolen credential could unlock multiple accounts.

The good news: updating is trivial. Chrome’s auto-update mechanism will pull down the patch without any action on your part—provided you haven’t disabled it. If you regularly close your browser, the update will install the next time you relaunch.

Power users and tinkerers

If you’ve turned off automatic updates to control when patches land, or if you run Chrome in a sandboxed or manually updated environment, you need to grab version 150.0.7871.47 manually. Check chrome://settings/help to see your current version. Those who rely on the password manager heavily—such as anyone storing dozens or hundreds of logins—should prioritize the update.

IT administrators and enterprise shops

For organizations that manage Chrome via Group Policy, SCCM, or a mobile device management platform, the window between the vulnerability’s disclosure and blanket patch deployment is critical. CVE-2026-13960 may not be actively exploited yet, but the publication of the CVE entry on June 30 puts it on attackers’ radar. Admins should:

  • Verify that managed Chrome instances are set to auto-update or push the latest MSI.
  • Audit any environment where users have permission to delay restarts—browsers that linger on older versions remain exposed.
  • Remind users about phishing red flags. A spoofed password dialog might appear even when the user didn’t navigate to a login page or see an autofill prompt, which is a strong signal of foul play.

Because the flaw affects the Passwords component, consider whether your organization’s password policies need a refresh. If users are already trained to use a dedicated password manager (Bitwarden, 1Password, etc.) and never store credentials in Chrome, the impact is blunted. However, blanket disablement of Chrome’s password manager can be impractical in many environments.

How we got here: a brief history

Chrome’s integrated password manager has long been a target for UI spoofing attacks. The browser’s security model treats the password prompt as a trusted surface, so any flaw that allows a website to mimic it bypasses a key trust boundary. Google has patched similar issues before—for instance, CVE-2022-1234 (a hypothetical example) and other bugs that allowed overlays or full-page fakes.

The broader industry trend is clear: as native password managers gain adoption, they become more attractive to criminals. In 2024 and 2025, both Chrome and Firefox addressed multiple UI redressing attacks. Microsoft’s Edge browser, which shares the Chromium engine, often inherits these fixes shortly after they land in Chrome.

CVE-2026-13960 was likely reported through Google’s Vulnerability Reward Program (VRP) or by an external researcher who discovered that Chrome’s password dialog could be spoofed under specific conditions—perhaps by manipulating the browser window’s appearance or by injecting a lookalike element during an autofill flow. The NVD entry’s modification date of July 2 hints at a supplemental analysis, which could mean additional details are being vetted before full publication.

What’s clear is that the July 2026 Stable channel update closes the door. Google’s usual cadence means the patch was tested in the Beta and Dev channels for weeks before reaching the mainstream release.

What to do now

  1. Check your Chrome version. Open Chrome, click the three-dot menu (⋮) in the upper right, go to Help > About Google Chrome. The version number appears at the top. If it reads 150.0.7871.47 or higher, you’re protected.
  2. Trigger an immediate update. If your version is below 150.0.7871.47, the About page will automatically start downloading the update. Once it finishes, click the Relaunch button.
  3. If auto-update is stuck. On Windows, Chrome checks for updates only when you reload the About page. Sometimes a background service conflict prevents the download. In that case, download the latest installer from google.com/chrome and run it—it will update your existing installation without wiping data.
  4. Enterprise deployment. For managed environments, deploy the new MSI file (version 150.0.7871.47) to all Windows workstations. If you use Google’s Chrome Browser Cloud Management, verify that the “Stable channel” policy is set to allow automatic updates and that no machines are reporting as outdated in the admin console.
  5. Consider alternative password management. While Chrome’s built-in manager is convenient, dedicated password managers often include phishing protection that works even if the browser’s UI is spoofed. If you’re a high-value target (executive, IT admin, journalist), storing passwords outside the browser adds a crucial extra layer.
  6. Stay alert for fake dialogs. Until the update reaches everyone, be suspicious of any password entry box that appears unexpectedly. Chrome normally shows autofill reminders only on pages where you’ve previously saved a password. If a dialog asks for your Google account password in a place that doesn’t look like a legitimate Google login page, don’t type anything.

Microsoft Edge users should note that while Edge’s password manager is independent, the underlying Chromium engine is shared. Microsoft usually ports security fixes within a week. Keep an eye out for an Edge update referencing this CVE.

Outlook

Google is unlikely to release full exploit details until at least a few weeks from now, giving the ecosystem time to patch. Security researchers may uncover attack scenarios that make the vulnerability more severe than first thought, so NVD’s rating could be adjusted. For now, the pragmatic action is the same: update Chrome.

Looking ahead, expect continued scrutiny of browser password managers. With passkeys slowly replacing traditional passwords, the attack surface is shifting, but millions of users still rely on old-school credentials—and thieves know it. Google’s update cadence remains your strongest defense, as long as you don’t get in its way.