HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12068Published Modified CNA GEN

CVE-2026-12068: Avira Password Manager credential disclosure via cross-origin autofill in Firefox

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an information disclosure vulnerability in Avira Password Manager when used as a browser extension with Mozilla Firefox. A remote attacker who controls a cross-origin iframe embedded in a page where Avira Password Manager autofills credentials can read those autofilled credentials due to incorrect autofill field selection logic. Successful exploitation exposes the victim's username and password for the affected site to the attacker's origin. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-12068 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Avira Password Manager or the Firefox browser extension. HarborGuard ingests from upstream advisory feeds continuously, so any image containing an affected version is flagged as soon as the record is indexed.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.4 (HIGH), weighted further against each customer's per-environment compliance policy to determine urgency and routing. Each affected image finding is routed to the appropriate team inbox within the customer organization based on configured policy owners.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers with auto-remediation enabled will receive an advisory notification with compensating-control guidance rather than a rebuild PR, since no safe target version exists yet.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver a page containing a cross-origin iframe to the victim over the network, so the affected service must be reachable by the victim's browser from an attacker-controlled origin.

  • AuthenticationNot required

    No account or credentials on the target system are required; the attacker only needs to serve a web page the victim visits.

  • Victim interactionRequired

    The victim must navigate to the attacker-controlled page and trigger autofill on a site where their credentials are stored, making this a social-engineering vector that requires the user to visit a crafted URL.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no race conditions or special environmental prerequisites beyond delivering the malicious iframe to the victim.

Blast Radius

  • The attacker reads the plaintext username and password autofilled by Avira Password Manager for whatever site the victim was authenticating to at the time of exploitation.
  • Captured credentials can be replayed immediately against the target site, granting the attacker full access to that account without any further exploitation steps.
  • If the victim reuses the same password across multiple services, the attacker gains a credential that works beyond the immediate target site.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-12068, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Gen Digital ships a fix version. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no patch exists, HarborGuard surfaces compensating-control recommendations for affected images: network-policy isolation to restrict outbound requests from containers serving pages that embed third-party iframes, egress filtering to block unexpected cross-origin data flows, and feature-flag gating to disable the Avira autofill extension in controlled test or CI environments where it is not required. Where compliance policy permits, customers can configure alert thresholds so that any new image layer introducing the affected extension version triggers an immediate pipeline block rather than a warning.

See how HarborGuard automates this
Affected packages
  • Gen Digital / Avira Password Manager
    *
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
References