A newly discovered security flaw in Anthropic’s Claude Chrome extension could allow malicious browser extensions to hijack the AI assistant and access sensitive user data without permission.
Quick Summary
- Researchers at LayerX discovered a vulnerability called ClaudeBleed in Anthropic’s Claude Chrome extension.
- The flaw could let malicious Chrome extensions control Claude AI and perform actions on behalf of users.
- Attackers may gain access to Gmail, Google Drive, and private GitHub repositories.
- Anthropic released a partial fix, but researchers say the core issue still exists.
What Happened?
Cybersecurity researchers at LayerX uncovered a major security vulnerability in Anthropic’s “Claude in Chrome” extension that could allow attackers to take over the AI assistant through malicious browser extensions. The issue, named ClaudeBleed, reportedly affects the way the extension trusts scripts running on the claude.ai domain.
Researchers say the flaw allows even low privilege or zero permission Chrome extensions to send commands directly to Claude AI and trick it into performing sensitive actions on behalf of users.
A vulnerability called ClaudeBleed in the Claude Chrome extension allows attackers to take over the AI via remote prompt injection, risking data theft from Gmail, GitHub, and Google Drive. #ClaudeBleed #AIsecurity #USAhttps://t.co/cHChZ9rlzf
— Cybersecurity News Everyday (@TweetThreatNews) May 8, 2026
How the ClaudeBleed Vulnerability Works?
According to LayerX, the vulnerability comes from weak trust verification inside the Claude Chrome extension. The extension reportedly trusts any script running under the claude.ai origin without properly checking whether the script actually belongs to Anthropic.
This creates a dangerous loophole where attackers can create a seemingly harmless Chrome extension and inject commands into Claude’s internal messaging system.
LayerX researcher Aviad Gispan explained that the flaw is tied to Chrome’s externally_connectable feature, which allows browser extensions and websites to communicate with each other.
Researchers found that malicious extensions could exploit this communication channel to remotely inject prompts into Claude AI. Once successful, attackers could make the AI assistant perform actions using the victim’s active browser sessions.
In proof of concept demonstrations, researchers showed that attackers could:
- Access and share sensitive Google Drive files.
- Send emails through Gmail accounts.
- Extract code from private GitHub repositories.
- Summarize inbox messages.
- Delete evidence after performing actions.
LayerX warned that the issue effectively breaks Chrome’s extension isolation protections because a zero permission extension can inherit the capabilities of a trusted AI assistant.
Researchers Also Bypassed Claude’s Safety Protections
Claude normally asks users for confirmation before carrying out sensitive actions. However, researchers claim they found ways to bypass some of these protections.
One technique involved repeatedly sending automated approval prompts until the system accepted the request. LayerX referred to this method as approval looping.
Researchers also manipulated webpage elements through Document Object Model manipulation. By changing button names and hiding warning messages, they reportedly altered Claude’s understanding of what actions were being performed.
This allowed dangerous actions to appear harmless to the AI assistant.
LayerX said the extension trusted the origin of the command instead of verifying the actual execution context, making the attack possible.
Anthropic Released a Partial Fix
LayerX reported the vulnerability to Anthropic on April 27. Anthropic responded a day later and confirmed it was already working on a patch.
The company later released fixes in version 1.0.70 of the Claude extension. However, researchers claim the update only partially addressed the issue.
According to LayerX, attackers may still bypass protections by switching Claude into “Act without asking” or privileged execution modes. Researchers noted that users are not warned or asked for approval when this mode changes.
As of now, LayerX recommends users carefully review installed Chrome extensions, avoid unnecessary add ons, and disable autonomous AI browsing features whenever possible.
The company also suggested stronger security measures, including authenticated message signing, trusted extension verification, and one time approval systems that cannot be replayed by attackers.
Why This Matters?
The ClaudeBleed vulnerability highlights a growing security concern around AI-powered browser assistants. As AI agents gain deeper access to emails, documents, cloud storage, and browsing sessions, security flaws could become significantly more dangerous than traditional browser extension bugs.
Researchers warn that AI assistants with autonomous capabilities may become attractive targets for attackers looking to automate data theft and account abuse at scale.
SQ Magazine Takeaway
I think this incident is a major warning sign for the future of AI powered browsers and assistants. Giving AI agents access to emails, files, and browser controls can make daily tasks easier, but it also creates a massive security risk if protections fail. What makes ClaudeBleed especially worrying is that attackers reportedly did not need advanced permissions to abuse the system. This shows how quickly AI convenience can turn into a serious cybersecurity problem if trust models are not designed carefully from the start.
