CVE-2026-0102 is a vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting Microsoft Edge (Chromium-based) version 1.0.0.0. The flaw occurs when a malicious webpage can cause the browser to autofill stored personal data—such as addresses, email addresses, or phone number metadata—after two consecutive taps by the user. This autofill action may happen without explicit or clear user consent, potentially exposing sensitive information to unauthorized actors. The vulnerability requires user interaction (two taps) but no elevated privileges or authentication. The attack vector is remote (network), and the complexity is high, indicating that exploitation is not trivial. The CVSS v3.1 base score is 3.1, reflecting a low severity primarily due to limited confidentiality impact and the need for user interaction. There is no impact on data integrity or system availability. No known exploits have been reported in the wild, and Microsoft has not yet published patches. The vulnerability highlights a privacy risk where autofill data, often containing sensitive personal information, can be leaked to malicious websites under specific user interaction scenarios.

For European organizations, the primary impact is the potential unauthorized disclosure of personal data stored in browser autofill fields. This can lead to privacy breaches, especially in sectors handling sensitive customer or employee information, such as finance, healthcare, and government services. Although the vulnerability does not affect system integrity or availability, the exposure of personal data could violate GDPR requirements concerning data protection and user consent, potentially resulting in regulatory penalties and reputational damage. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk, particularly in environments where users may be targeted with social engineering or phishing campaigns designed to induce the necessary taps. Organizations relying heavily on Microsoft Edge Chromium for web access should consider this vulnerability in their risk assessments, especially where autofill data is extensively used.

1. Educate users about the risks of interacting with untrusted or suspicious websites, emphasizing caution with repeated taps or clicks that may trigger autofill. 2. Disable or limit autofill functionality in Microsoft Edge via group policies or browser settings, particularly in sensitive environments, to reduce exposure of personal data. 3. Monitor for updates from Microsoft and apply patches promptly once available to remediate the vulnerability. 4. Implement browser security configurations that restrict JavaScript execution or limit autofill triggers on untrusted sites using Content Security Policy (CSP) or similar controls. 5. Employ endpoint security solutions that can detect and block malicious webpages or phishing attempts designed to exploit this vulnerability. 6. Conduct regular security awareness training focusing on social engineering tactics that could facilitate exploitation. 7. Review and audit autofill data stored in browsers to minimize sensitive information exposure.