Google has released an urgent update for Chrome on Windows and Mac, patching a vulnerability in the browser’s built-in password manager that could allow a remote attacker to siphon sensitive data across different websites.
The update, Chrome 150.0.7871.47, landed on June 30, 2026, and addresses a single security flaw tracked as CVE-2026-14019. While rated as medium severity, the nature of the bug—a cross-origin data leak—makes it a priority fix for anyone who relies on Chrome to store and autofill passwords.
The update at a glance
Chrome 150.0.7871.47 is a targeted security release that fixes only CVE-2026-14019. No other changes or features are included. The build is rolling out to Windows and Mac users via the browser’s automatic update mechanism; it will reach all users over the coming days.
Google’s advisory provides few technical details, as is customary to give users time to apply the patch before attackers reverse-engineer the flaw. What we do know is that the bug resides in the Passwords component—the engine behind Chrome’s password manager—and an exploit could result in a “cross-origin data leak.”
In practice, that means a malicious website could, under certain conditions, extract information that belongs to a completely different web domain. For a password manager, that’s as dangerous as it sounds: credentials stored for one site could theoretically be read by another. Google assigns a severity of Medium, likely because the attack requires specific preconditions or user interaction, but the potential impact on everyday browsing is undeniable.
Why cross-origin data leaks are uniquely dangerous for password managers
Browsers enforce a strict policy known as the same-origin policy: a script running on evil.com may not read data from yourbank.com. This is the fundamental security boundary that keeps your logged-in session tokens, cookies, and personal data isolated. A cross-origin data leak circumvents that barrier.
When such a flaw lands in the password manager, the stakes are higher. The password manager has legitimate access to credentials across all domains where you’ve saved logins. If an attacker can trigger a cross-origin leak through the password manager’s own logic—for instance, by crafting a phony login form that tricks the autofill engine into revealing data from a different origin—they could harvest usernames and passwords en masse.
Chrome’s password manager has evolved into a sophisticated tool that syncs across devices, generates strong passwords, and warns of breaches. That convenience also expands the attack surface. Every time you visit a site and Chrome offers to fill in a saved password, a complex dance of heuristics, origin checks, and JavaScript interaction determines what gets filled and when. A logic flaw in that dance can expose data that was never meant to leave its intended domain.
What you should do right now
For home users: the fix is simple. Open Chrome, click the three-dot menu at top right, go to Help > About Google Chrome. The browser will check for updates and automatically install version 150.0.7871.47. After the install, click Relaunch to restart Chrome and apply the patch.
You can verify the update by returning to the About page and confirming the version number. Even though Chrome updates itself quietly in the background, it’s wise to force a check, especially if you haven’t restarted the browser in a while. The vulnerability is already public, and delay leaves you exposed.
For IT administrators: the update should be pushed through your normal patch management pipeline immediately. Chrome’s enterprise policies allow forced updates and managed deployment. Because this is a single CVE fix with no other modifications, the risk of regression is low. Test on a small subset if your policy requires it, but don’t postpone wide distribution—the medium rating doesn’t mean low risk; it often reflects the complexity of exploitation, not the severity of potential data loss.
For developers: while this specific flaw is in the password manager, cross-origin data leaks are a perennial web security concern. Audit your own sites for strict CORS policies, use the Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers, and never assume the browser itself is free of bugs. Defense in depth remains your best strategy.
How we got here
This isn’t Chrome’s first rodeo with password manager vulnerabilities. Over the years, researchers have found ways to abuse autofill behavior to extract credentials from hidden fields, to bypass origin checks, or to force the password manager to relinquish data it shouldn’t. Each time, Google patches and adds tighter controls, but the complexity of the web ecosystem means new edge cases emerge.
Chrome 150 itself is part of an aggressive release cycle—new major versions every four weeks—with regular security patches in between. This particular fix comes two weeks after Chrome 150’s initial launch, a typical window for mid-cycle security updates. The rapid cadence means users need to stay on their toes; outdated Chrome is one of the most common vectors for real-world attacks.
Cross-origin leaks have become a particularly hot topic in browser security over the past few years. Spectre-style side-channel attacks demonstrated that data could jump origins via timing measurements. Since then, browser vendors have been systematically closing down information leakage channels through new headers, site isolation, and process sandboxing. Yet bugs in core components like the password manager remind us that even well-guarded browsers can have cracks.
Google’s reward for this bug hasn’t been disclosed, but the company’s Vulnerability Reward Program typically pays researchers for medium-severity findings. The fact that the advisory names no researcher suggests the flaw may have been discovered internally during routine auditing or automated fuzzing.
Practical impact and what “medium severity” really means
The National Institute of Standards and Technology (NIST) defines medium severity as a vulnerability that could “result in limited loss of confidentiality, integrity, or availability” or where exploitation is not straightforward. In Chrome’s ranking, Medium often indicates a bug that needs a specific set of circumstances—for example, a user must be logged into a particular service, visit an attacker-controlled page, and perhaps interact with a form in a specific way.
But for a password manager, even a “limited” loss of confidentiality can be catastrophic. A single leaked credential can unlock a domino effect if the user reuses passwords (a practice Chrome itself warns against). And because Chrome’s password manager syncs across devices through your Google account, a compromised credential on one machine could, in theory, give an attacker the key to your entire digital life.
So treat this patch as you would any high-severity update: with urgency.
What’s next
Chrome 150.0.7871.47 is a one-off security fix, but more updates are on the horizon. Google is already working on Chrome 151, scheduled to hit the stable channel in late July 2026, with its own set of security improvements and feature removals. Keep automatic updates enabled, and consider turning on Enhanced Safe Browsing (found in Settings > Privacy and security > Security) for an additional layer of real-time protection against malicious sites that might attempt to exploit unpatched flaws.
For password manager skeptics, this incident might rekindle the third-party vs. built-in debate. Dedicated managers like Bitwarden or 1Password aren’t immune to bugs, but they do decouple the browser’s attack surface from your credential store. If you prefer to keep using Chrome’s manager—as millions do for its seamless integration—ensure you’re also using two-step verification for your Google account. That way, even if passwords leak, your account itself is harder to hijack.
In the meantime, the best defense is a current browser. Take two minutes to check your Chrome version right now. The fix is ready.