Microsoft has disclosed a path traversal vulnerability in Edge for Android that could expose sensitive user data, and is pushing a fix that all users need to install now. Tagged as CVE-2026-58300 and rated Important, the flaw was detailed on July 3, 2026, and is resolved in Edge version 150.0.4078.48, available through the Google Play Store.
A Path Traversal Flaw in Edge for Android
The vulnerability, described by Microsoft as an information disclosure issue, stems from a path traversal weakness in the browser. Path traversal attacks typically involve an attacker manipulating file paths in a way that lets them access directories and files outside the intended scope. In the context of a web browser, a specially crafted website or link could trick Edge into reading and disclosing files it has permission to access on the Android device.
Microsoft’s advisory does not specify exactly which files or data could be exposed, but the Important severity rating suggests a meaningful risk. On Android, browser apps like Edge store a variety of sensitive information within their own private data directories. This can include cookies, saved form data, cached content, and even synchronized passwords if the user has enabled that feature. An attacker could potentially harvest such data, leading to account takeovers, identity theft, or further compromise.
No evidence of active exploitation has been shared, but the usual rhythm of vulnerability disclosure means that proof-of-concept code often follows quickly. For now, the technical details remain locked behind the CVE number, but that won’t last forever.
Who Needs to Update
Anyone running Microsoft Edge on Android with a version earlier than 150.0.4078.48 is at risk. This includes any release channel—stable, beta, or dev—if the version number is older. Edge for Android typically auto-updates, but staggered rollouts and user-disabled automatic updates can leave devices lingering on insecure builds.
The vulnerability is specific to the Android app. Edge on Windows, macOS, iOS, or Linux is not affected by CVE-2026-58300. If your phone only uses Chrome or another browser, this advisory does not apply to you. However, many users keep Edge for its integration with Microsoft accounts and services, making the update critical for a sizable chunk of the Android ecosystem.
How to Patch the Flaw
Updating is straightforward:
- Open the Google Play Store on your Android device.
- Search for Microsoft Edge.
- If you see an Update button, tap it. If you see Open, you’re already on the latest version.
- After updating, verify the version number by opening Edge, tapping the three-dot menu, selecting Settings, and looking under About Microsoft Edge. Ensure it reads at least 150.0.4078.48.
If automatic updates are turned off, consider enabling them for security-critical apps like browsers. In the Play Store, you can go to the Edge app page, tap the three-dot menu, and check Enable auto update.
For organizations managing Android devices through Microsoft Intune or other mobile device management tools, push the latest version of Edge to all enrolled devices immediately. Microsoft has not released a separate advisory for enterprise, but standard patch management practices apply.
If for some reason you cannot update, consider switching to an alternative browser until the update is applied. Uninstalling Edge removes the risk entirely, but that also means losing any synced data tied to your Microsoft account within the browser.
Edge for Android’s Security Track Record
This is far from the first security flaw reported in Edge for Android. As a Chromium-based browser, it inherits both the strengths and the patch cycle of the open-source project that underpins Chrome. Google regularly patches vulnerabilities in Chromium, and Microsoft repackages those fixes into its own releases. However, platform-specific issues—like this path traversal—can arise independently in the Edge wrapper or in how the app interacts with the Android operating system.
In 2025, for instance, Microsoft addressed a similar Important-rated information disclosure bug in Edge for Android tracked as CVE-2025-42273, which also involved improper file handling. Before that, a privilege escalation flaw in Edge’s Android WebView component made headlines. These recurring issues highlight the complexity of maintaining a secure browsing engine across operating systems where file permissions and sandboxing differ from desktop environments.
Microsoft’s MSRC now follows a predictable pattern: vulnerabilities are patched, CVE numbers are published, and updates roll out via the Play Store. The speed of Android updates depends on Google’s infrastructure, but Edge often receives patches alongside Chrome’s own release cadence, typically a day or two after the desktop Chromium stable channel update.
What Comes Next
Microsoft has not indicated whether it will publish a detailed technical write-up of CVE-2026-58300. Often, the company waits several weeks or months before sharing deeper analysis, giving users time to patch. Security researchers may independently reverse-engineer the update to understand the flaw, and that knowledge will eventually percolate into public blogs and conference talks.
For now, the key takeaway is simple: update Edge on your Android device immediately. The fix is out, it’s trivial to install, and it closes a real risk of data exposure. Keep an eye on the Microsoft Security Response Center’s update guide for any follow-up notes, and ensure automatic updates are enabled to catch the next release without delay.