HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Microsoft Edge Preloads Saved Passwords in Plaintext Memory, Raising Credential‑Theft Risk

Researchers found that Microsoft Edge loads every saved password into process memory in cleartext at launch, exposing credentials to any local malware or malicious insider. The flaw is especially dangerous in shared‑infrastructure environments and threatens third‑party risk controls that depend on password secrecy.

LiveThreat™ Intelligence · 📅 May 08, 2026· 📰 databreachtoday.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
databreachtoday.com

Microsoft Edge Preloads Saved Passwords in Plaintext Memory, Raising Credential‑Theft Risk

What Happened — Researchers discovered that Microsoft Edge automatically loads every saved password into the browser’s process memory in cleartext when the application starts. Unlike Chrome or Brave, Edge does not wait for a user‑initiated autofill request, leaving the entire credential store exposed for the duration of the session.

Why It Matters for TPRM

  • Local malware or a malicious insider can harvest enterprise credentials from a single compromised endpoint, then pivot to privileged accounts.
  • Shared‑infrastructure environments (Citrix, VDI, Remote Desktop) amplify the risk because one admin‑level attacker can read memory of all user sessions on the same host.
  • Credential‑theft undermines existing third‑party risk controls that rely on password secrecy, such as MFA enrollment and least‑privilege policies.

Who Is Affected — Enterprises across all sectors that allow Edge to store passwords, especially those using shared desktops, VDI, or remote‑access solutions; SaaS providers whose staff rely on Edge for web‑based logins; Managed Service Providers (MSPs) that provision Windows workstations.

Recommended Actions

  • Disable password saving in Edge or enforce a policy that passwords are never stored locally.
  • Deploy endpoint‑detection‑and‑response (EDR) solutions that monitor for credential‑dumping techniques (e.g., LSASS memory reads).
  • Enforce multi‑factor authentication (MFA) for all privileged and service accounts to mitigate the impact of stolen credentials.
  • Conduct a rapid inventory of devices with Edge installed and verify that OS memory‑isolation controls (e.g., Windows Protected Process) are enabled.

Technical Notes — The issue stems from Edge’s design choice to preload the password vault into RAM for performance. Windows does not prevent a non‑elevated process from reading another process’s memory under the same user context, allowing any local malware to scrape cleartext passwords. No CVE has been assigned yet; Microsoft has labeled the behavior “by design” and states that exploitation requires prior administrative access. Source: DataBreachToday

📰 Original Source
https://www.databreachtoday.com/breach-roundup-microsoft-edge-turns-passwords-into-targets-a-31629

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →