Two significant security vulnerabilities have been discovered in Anthropic’s Claude for Chrome browser extension, posing a severe threat to Google data privacy. Despite the release of multiple updates, these flaws remain unpatched, allowing attackers to access Gmail, Google Docs, and Calendar data using a simple script.
Discovery of the Vulnerabilities
Researchers from Manifold initially identified these vulnerabilities in May 2026. However, the issues persist in the latest extension version 1.0.80, released on July 7, 2026. These vulnerabilities are embedded in Claude’s content script and side panel, which, if exploited, can lead to unauthorized data access.
The first flaw stems from Claude’s content script, which processes user interactions without verifying if they are genuine. This oversight allows other browser extensions to simulate user clicks, prompting Claude to execute certain actions without user consent. Three of these actions involve reading Gmail, accessing Google Docs comments, and interacting with Google Calendar events.
Implications of the Security Flaws
In its default setting, Claude prompts users for approval before taking any actions. However, if the “Act without asking” mode is enabled, these actions occur silently, posing a critical risk rated at CVSS 9.6. This vulnerability highlights serious security concerns, especially for users who might unknowingly have this feature activated.
The second vulnerability relates to Claude’s side panel, which can enter a privileged mode without user consent when a specific URL parameter is used. Although this is not currently exploitable by external actors, it represents a potential future threat if new vulnerabilities arise, allowing unauthorized code to exploit this mechanism and gain full account access.
Response and Future Outlook
Both security issues align with known AI security challenges, including prompt injection and excessive agency. Proposed solutions involve implementing checks on user interactions and eliminating URL-based privilege escalations. However, these fixes have not yet been deployed.
Anthropic acknowledged the vulnerabilities quickly but has yet to implement a resolution, despite marking the issues as “Resolved.” This situation echoes a previous incident, ClaudeBleed, where a supposed fix was found inadequate, raising questions about the effectiveness of current security measures in AI browser extensions.
The ongoing failure to address these vulnerabilities underscores the urgent need for enhanced security protocols in browser extensions that handle sensitive data. As the digital landscape evolves, ensuring robust protection against such threats becomes increasingly critical.
