Microsoft disclosed a high-severity security vulnerability in its Edge browser for Android on July 3, 2026, warning that it could allow unauthorized access to private personal information. The company has released a patched version—129.0.2792.65—and is urging all Edge for Android users to update immediately.
Tracked as CVE-2026-58296, the information disclosure flaw earned a high severity rating from Microsoft’s security response team, though the company hasn’t published a CVSS score. The vulnerability stems from how Edge for Android handles certain data requests, potentially exposing browsing history, saved passwords, autofill information, and other sensitive user data under specific attack scenarios. Microsoft’s advisory states that an attacker could exploit this vulnerability by crafting a malicious website or app that interacts with Edge’s rendering engine, causing it to leak information that should be sandboxed.
The Nuts and Bolts of the Flaw
Edge for Android, like many mobile browsers, relies on Chromium’s multi-process architecture to isolate web content from sensitive device data. In this case, a flaw in the browser’s implementation of inter-process communication (IPC) allowed a compromised renderer process to request data from the browser’s main process that should have been restricted. Microsoft confirmed that the vulnerability could be triggered remotely, without any user interaction beyond visiting a booby-trapped webpage.
The affected versions include all Edge for Android releases prior to 129.0.2792.65. Microsoft pushed the fix through the Google Play Store on July 3, the same day it published the advisory. The update has been rolling out gradually, but users can manually trigger it by visiting the Play Store listing or checking the browser’s built-in update mechanism.
What’s Really at Risk for You
For the average user, this vulnerability is the kind of security hole that fuels a wide range of privacy-invading attacks. An attacker who successfully exploits CVE-2026-58296 could:
- Steal login credentials stored in Edge’s password manager
- Exfiltrate browsing history, revealing sensitive sites visited
- Access autofill data like names, addresses, and credit card details
- Harvest session cookies to hijack active web accounts
The attack surface is broad: any website you visit with a vulnerable Edge version could be hostile. Worse, the flaw can be exploited without any visual indication—no pop-ups, no permission requests, no obvious signs that something is amiss. For business users who handle corporate credentials or access internal portals through Edge on Android, this vulnerability presents a direct path to enterprise data breaches.
How We Got Here: Edge on Android’s Security Track Record
Edge for Android launched in 2017, originally based on Microsoft’s EdgeHTML engine before switching to Chromium in 2020. Since then, it has seen relatively few critical CVEs compared to desktop browsers, but mobile vulnerabilities are particularly concerning due to the personal nature of smartphones. In 2025, a similar information disclosure flaw (CVE-2025-34012) in Chrome for Android led to Google fast-tracking a fix within 48 hours of discovery.
This latest bug was reported to Microsoft through its vulnerability disclosure program by an independent researcher, whose name was withheld pending full mitigation. Microsoft’s advisory noted that there is no evidence of active exploitation in the wild, but with the details now public, that could change rapidly. Historically, when mobile browser CVEs are disclosed, exploit code often appears within days as security researchers and malicious actors alike reverse-engineer the patches.
The timeline shows a quick response:
- June 28, 2026: Vulnerability reported to Microsoft
- July 1, 2026: Microsoft validates and develops fix
- July 3, 2026: Patch released and advisory published
Immediate Steps You Should Take
If you use Edge on Android, treating this update as optional could be a costly mistake. Here’s what to do right now:
-
Update Edge for Android
- Open the Google Play Store, tap your profile icon, and select “Manage apps & device.”
- Find Microsoft Edge in the list and tap “Update.”
- Alternatively, open Edge, go to Settings > About Microsoft Edge, and the browser will check for and install the latest version. -
Verify the version
- After updating, typeedge://versionin the address bar. The top line should read “129.0.2792.65” or higher. If you see an older build, repeat step 1. -
Enable automatic updates
- In the Play Store, go to Settings > Network preferences > Auto-update apps, and choose “Over Wi-Fi only” or “Over any network” to ensure you never miss a critical browser patch again. -
Review saved credentials
- Since the flaw could have been exploited without your knowledge, it’s wise to visitedge://settings/passwordsand review the list of saved passwords. Change any high-value credentials (email, banking, work accounts) as a precaution, and consider enabling two-factor authentication where available. -
For IT administrators
- If you manage a fleet of Android devices via Microsoft Intune or another MDM, push the update as a mandatory app upgrade. Ensure your compliance policies flag devices running Edge versions below 129.0.2792.65. Microsoft has also released updated app configuration policies that can enforce the patched version.
The Bigger Picture: Mobile Browser Security
Mobile browsers are often viewed as secondary, but they’ve become primary access points for everything from banking to healthcare. A high-severity privacy leak in a major browser like Edge for Android underscores how fragile mobile security can be, even with sandboxing and regular updates. Unlike desktop browsers, which benefit from enterprise-grade deployment tools, mobile users are largely on their own when it comes to staying current—unless they work in a managed environment.
This incident also highlights the blurred line between convenience and security. Features that save passwords and autofill forms are massive time-savers, but they also concentrate sensitive data into a single choke point. When that choke point fails, the fallout is amplified.
What to Watch Next
Microsoft has not indicated whether the patch will be backported to older Edge versions or if it applies to Edge on iOS, which uses a different rendering engine (WebKit) due to Apple’s restrictions. The advisory mentions only Android, so iOS users are likely unaffected—but that could change if the root cause is found in shared components like Sync or the Edge web services layer.
The researcher credited with the discovery is expected to publish a detailed technical write-up after a 90-day disclosure deadline, which would fall around early October 2026. Until then, the public advisory remains the primary source of information. Keep an eye on the Microsoft Security Response Center (MSRC) blog for any updates regarding active exploitation or additional mitigation steps.
For now, the single most important action is to update Edge for Android immediately. If you haven’t opened the Play Store this week, now’s the time.