Critical Claude for Chrome Flaw Exposes Gmail, Docs, Calendar Data
Key Takeaways Anthropic’s Claude for Chrome browser extension contains two unpatched vulnerabilities. These flaws could allow attackers to access and manipulate user data in Gmail, Google Docs,...
Key Takeaways
- Anthropic’s Claude for Chrome browser extension contains two unpatched vulnerabilities.
- These flaws could allow attackers to access and manipulate user data in Gmail, Google Docs, and Google Calendar.
- One vulnerability carries a Critical CVSS score of 9.6, enabling silent data exfiltration and action if the “Act without asking” mode is enabled.
- Despite being reported in May 2026 and acknowledged by Anthropic, fixes have not been implemented in the latest version, 1.0.80.
A critical security flaw within Anthropic’s Claude for Chrome browser extension could permit malicious actors to compromise sensitive user data across Google services, including Gmail, Google Docs, and Google Calendar. This vulnerability, which requires as little as six lines of JavaScript to exploit, remains unpatched across eight subsequent releases, including the most recent version, 1.0.80.
Table Of Content
Security researchers from Manifold initially identified and reported these issues in May 2026. However, despite their disclosure, the vulnerabilities persist and are reproducible in the extension’s current iteration, released on July 7, 2026.
Claude for Chrome Vulnerabilities Detailed
The primary vulnerability resides within Claude’s content script, which is designed to detect and respond to user clicks on an onboarding button. Upon detecting a click, the script forwards a corresponding prompt to Claude’s side panel. The fundamental flaw lies in the script’s failure to verify the authenticity of the click event by checking the event.isTrusted property.
This oversight allows any other browser extension with script execution privileges on claude.ai – a common permission for many extensions – to programmatically simulate a user click. By injecting just six lines of JavaScript, an attacker can trick Claude into executing one of nine pre-defined prompts without the user’s explicit consent or knowledge.
These hardcoded prompts are not benign. Three of them pose significant risks:
- Reading and interacting with Gmail content, including actions like clicking unsubscribe links.
- Accessing and reading comments from the user’s most recently opened Google Doc.
- Scanning Google Calendar to create new meetings.
While Claude’s default “Ask before acting” mode would display an approval pop-up to the user, the severity escalates dramatically if the “Act without asking” mode is enabled. In this configuration, Claude executes these potentially malicious actions silently, without any user interaction, earning this vulnerability a Critical CVSS score of 9.6.
A secondary, structural issue was also identified within the Claude extension. The side panel can be forced into a privileged, consent-free mode simply by loading a URL containing the parameter ?skipPermissions=true. This bypasses any requirement for user gestures to activate advanced permissions. Although a warning banner does appear, it only does so after the privileged mode has already been activated, rendering it an informational notice rather than a protective measure.
Currently, this second issue is not directly exploitable by external parties, as only the extension itself can construct this specific URL. However, researchers caution that this represents a significant future risk. Any subsequent bug, such as a new message handler flaw, an XSS vulnerability, or a regression that permits external code to generate this URL, could immediately grant silent, comprehensive access to a user’s account data.
Both identified issues align with recognized security risks outlined in the OWASP Top 10 for LLM Applications. The synthetic-click vulnerability is categorized under prompt injection (LLM01), while the excessive permissions and silent execution capabilities fall under excessive agency (LLM06).
Unaddressed Risks and Previous Incidents
Proposed solutions for these vulnerabilities are straightforward: implementing a check for isTrusted on all click events and removing the URL-based privilege escalation mechanism. Despite the simplicity of these fixes, Anthropic has not incorporated them. The company acknowledged both reports within a day of their submission but subsequently closed them. Anthropic contended that the synthetic-click issue was already covered by an internal report and that the URL parameter did not pose an externally reachable risk.
Manifold researcher Ax Sharma reverified on July 7 that the problematic code remains byte-identical to the version initially reported, confirming that no patch has been deployed.
This situation mirrors a previous incident known as ClaudeBleed, where an announced fix for a vulnerability later proved incomplete. Such patterns raise serious questions about how AI-powered browser extensions manage trust boundaries between third-party scripts and their own privileged, agentic actions, and the effectiveness of their vulnerability remediation processes.
What You Should Do
- Exercise Caution: Be aware of the risks associated with browser extensions that have broad permissions, especially those interacting with sensitive data like email and documents.
- Review Extension Permissions: Regularly check the permissions granted to all your browser extensions. Revoke or uninstall any extensions that demand excessive permissions not essential for their stated function.
- Disable “Act without asking” Mode: If you use Claude for Chrome, ensure that the “Ask before acting” mode is enabled. This will at least prompt you before the extension performs any actions, even if a vulnerability is exploited.
- Stay Informed: Monitor official announcements from Anthropic and reputable cybersecurity news sources for updates and patches regarding the Claude for Chrome extension.
- Consider Alternatives: If the risks are unacceptable, consider limiting your use of the Claude for Chrome extension or exploring alternative methods for interacting with Claude until these critical vulnerabilities are fully addressed.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.