Anthropic releases fix for severe Claude Chrome extension flaw – researcher hacks patch in 3 hours

Published: 8 May 2026
Last updated: 8 May 2026
Claude browser extension
Claude in Chrome browser extension. Image by Anthropic

Anthropic has released only a partial fix for a flaw in Claude Code's Chrome extension – allowing any browser extension to hijack the AI assistant and act as the user – and researchers say they hacked the patch in just 3 hours.

Key takeaways:
  • A flaw in Claude Code’s Chrome extension allegedly allowed any browser extension to send instructions to the AI assistant and trigger actions using the victim’s permissions.
  • Researchers say the issue could expose sensitive actions including accessing Google Drive files, sending emails, and uploading or downloading data.
  • The bug is the latest warning that powerful AI agents may be expanding the browser attack surface faster than vendors can secure it.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

That’s according to a new LayerX security blog and executive summary published Thursday.

ADVERTISEMENT

Researchers say the flaw – dubbed “ClaudeBleed” – allows attackers to hijack Claude’s Chrome extension, extract whatever information they want, and get Claude to perform active, agentic actions on their behalf.

“This vulnerability effectively breaks Chrome’s extension security model by allowing a zero-permission extension to inherit the capabilities of a trusted AI assistant,” LayerX said, with one researcher calling it a “ticking time bomb.”

Anthropic
Anthropic’s Claude Chrome extension is still in beta. Image by gguy | Shutterstock

Any extension could hijack Claude actions

Still in Beta, the affected Claude in Chrome extension version 1.0.69 was released on April 22nd, 2026.

The issue stems from a trust-boundary flaw in the “Claude in Chrome” extension that allows scripts running in the browser to communicate with Claude’s large language model (LLM) without properly verifying who issued the request.

Claude Chrome Extension flaw 1
LayerX shows how the Claude Chrome extension trust boundary could be abused. Image by LayerX

While testing various exploits, the researchers found that malicious browser extensions could impersonate users and trigger privileged actions through Claude.

ADVERTISEMENT

This included the extraction and external sharing of Google Drive files, sending emails remotely, and stealing source code from a private repository on GitHub.

In one test case, by manipulating the Claude user’s email account, the researchers were able to “summarize the user’s last five emails, send them to an external account, and then delete the sent email.”

Researcher bypasses Anthropic’s fix in hours

Researchers said they first discovered the flaw on April 27th, and privately disclosed the issue to Anthropic the next day.

The AI start-up responded that it was already aware of the problem and planned to address it in the next version of the extension (version 1.0.70), which was then released on May 6th.

Claude Code Chrome browser
Claude in Chrome lets users test code directly in the browser Image by Anthropic

However, LayerX claims the released patch only partially addressed the flaw and failed to eliminate its “root cause.”

What’s more, the company’s principal security researcher, Aviad Gispan, said he was able to “hack the fix” within 3 hours.

The conversation on this topic is live. Join in the discussion.

ADVERTISEMENT

Anthropic’s update added new checks meant to block remote commands in Claude’s “standard” mode. But researchers say those same commands could still run by switching the extension into “privileged” mode – without notifying the user or asking permission.

Claude Chrome Extension flaw 2
LayerX shows how approval checks could be bypassed through privileged mode. Image by LayerX

Researchers also say the flaw highlights a broader security problem plaguing many AI tools.

"In the current AI race, vendors are moving too fast and granting powerful capabilities to improve user experience, while neglecting basic security foundations and opening new opportunities for attackers,” explains Gispan.

“As AI agents become the norm, these structural flaws are a ticking time bomb," the security research principal said.

AI agent flaw opens “severe” attack path

Besides performing actions on behalf of the user, LayerX further warns that, by bypassing user consent mechanisms, a malicious extension can also manipulate AI-driven decision-making, adding another layer of AI agent abuse.

“Claude’s decision-making relies heavily on DOM structure, visible text, UI semantics, and screenshot interpretation. These inputs are fully attacker-controlled within the page… something Chrome’s security model is explicitly designed to prevent,” the research states.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

LayerX lists multiple reasons why it categorizes the flaw as “severe” and “difficult to detect,” including that zero permissions are required, no exploit chain or vulnerability chaining is needed, and no user interaction is required.

LayerX also provides several recommended remediation steps, including:

  • Introduce extension-to-page authentication tokens, such as signed requests
  • Restrict externally_connectable to trusted extension IDs instead of origins
  • Bind user approvals to specific actions, one-time tokens, and non-replayable flows

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT