Serious Security Vulnerability Discovered in Microsoft Edge

A security researcher from Norway has uncovered a serious vulnerability in Microsoft Edge that allows attackers to retrieve stored passwords in plaintext. This security flaw affects the browser's password manager, which stores passwords without any encryption in memory. According to researcher Tom Jøran Sønstebyseter Rønning, attackers can intercept the passwords even if they are not used in the current session. Rønning demonstrated the vulnerability in a video released on May 4, 2026.

In this video, he shows how Microsoft Edge loads all stored passwords into memory without encrypting them. This poses a significant security risk, as attackers can gain access to this sensitive data by reading the memory. Unlike other password managers that typically use end-to-end encryption to securely store passwords, Microsoft Edge takes a different approach. While Edge requires authentication to access the passwords, this is insufficient when the passwords are stored unencrypted in memory. Rønning has also reported the vulnerability to Microsoft.

Reports indicate that he received feedback from the company stating that storing passwords in plaintext is not a bug but a deliberate design choice. The exact reason for this decision remains unclear, further raising security concerns. To warn users, Rønning plans to release a tool on GitHub that will allow users to check if their passwords are stored in plaintext. He recommends deleting passwords from the Microsoft Edge password manager and switching to a separate, secure password manager.

The vulnerability could potentially affect millions of users who have stored their passwords in the browser. Microsoft has yet to issue an official statement regarding the potential impacts or planned actions. Experts advise temporarily suspending the use of Edge's password manager until a solution is provided. The discovery of this vulnerability raises questions about the overall security of browsers, particularly regarding the storage of sensitive data. Users should be aware that using browser password managers carries risks that may be mitigated by choosing a specialized password manager.

The vulnerability could also impact the use of Microsoft Edge in enterprises, where the protection of sensitive data is of utmost importance. Companies should review their password management policies and make adjustments as necessary to ensure the security of their data. The vulnerability in Microsoft Edge may be classified as CVE-2026-XXXX, although the exact CVE number has not yet been released. Security researchers and IT experts are closely monitoring the situation for further information on the impacts and possible solutions.

The discovery of this security vulnerability comes at a time when cyberattacks and data breaches are increasingly common. Users are urged to reconsider their security practices and ensure that their passwords are stored in a secure environment. Rønning has emphasized that user security should be a top priority and that it is important to be informed about such vulnerabilities. "It is crucial for users to understand how their data is stored and what risks are associated with it," he said in an interview.