Cybersecurity

“ClaudeBleed” — Critical Flaw in Anthropic’s Claude Chrome Extension Lets Any Extension Hijack the AI Agent

Summary

Security researchers at LayerX have disclosed “ClaudeBleed,” a critical vulnerability in Anthropic’s Claude Chrome extension that allows any other browser extension — even those with zero special permissions — to hijack the AI agent and execute unauthorized commands on behalf of the user.

The flaw stems from a trust boundary issue where the Claude extension allows any script running in the browser’s origin to communicate with Claude’s LLM without verifying the script’s origin. This effectively bypasses Chrome’s extension security model, enabling cross-extension privilege escalation. In a proof of concept, LayerX demonstrated exfiltrating files from Google Drive, surveilling Gmail activity, sending unauthorized emails, and stealing private source code from GitHub repositories.

Anthropic released a patch (version 1.0.70) on May 6, 2026, but LayerX reports the fix is only partial — the vulnerability can still be exploited by switching the extension to “privileged” mode without user notification or consent. This follows an earlier vulnerability dubbed “ShadowPrompt” discovered in March 2026, which allowed zero-click prompt injection through the same extension.

Source

📰 CyberScoop · LayerX Security · SecurityWeek

Commentary

This is a textbook example of why bolting AI agents onto browser environments is a minefield. The Claude extension essentially created a god-mode API that any extension could invoke — no permissions required. The implications are severe: your AI assistant, with access to your Google Drive, Gmail, and GitHub, becomes an unwitting proxy for any malicious or compromised extension in your browser.

The fact that the initial patch was incomplete makes this worse. Users running the Claude Chrome extension should be aware that the vulnerability is not fully resolved. More broadly, this highlights a growing attack surface: as AI agents gain more capabilities and access to sensitive services, their browser integrations become high-value targets. Expect more ClaudeBleed-style disclosures as the AI agent ecosystem matures.

Related Posts

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by