Cleartext Password Storage Vulnerability Discovered in Microsoft Edge Browser (2026)
What Happened — Researchers at the SANS Internet Storm Center reported that Microsoft Edge was storing user passwords in cleartext under certain conditions, exposing credentials to local attackers and potentially to malicious software. The issue affects recent Edge builds on Windows 10/11 and can be triggered by specific configuration flags.
Why It Matters for TPRM —
- Credential leakage from a widely‑deployed browser can compromise downstream SaaS applications.
- Third‑party risk assessments must account for endpoint security gaps that expose shared credentials.
- Unpatched browsers increase the attack surface for supply‑chain and insider threats.
Who Is Affected — Enterprises across all sectors that rely on Microsoft Edge for web access, especially those that enable the built‑in password manager for employee accounts.
Recommended Actions — Review Edge deployment configurations, disable the built‑in password manager until a fix is released, enforce MFA on all critical SaaS services, and monitor for anomalous credential usage.
Technical Notes — The flaw stems from a mis‑handled encryption routine that writes passwords to the local profile directory without encryption. No CVE has been assigned yet; the vulnerability is classified as a local privilege issue. Affected data includes usernames and passwords for any site saved in Edge. Source: https://isc.sans.edu/diary/rss/32954