Unpatched Claude for Chrome Flaws Expose Gmail, Google Docs Data

Unpatched Flaws in Claude Chrome Extension Expose Google Workspace Data

MEDIUM
July 16, 2026
4m read
VulnerabilityCloud SecurityOther

Related Entities

Organizations

AnthropicManifold Security

Products & Tech

Claude for ChromeGoogle Workspace GmailGoogle DocsGoogle Calendar

Full Report

Executive Summary

Security researchers have disclosed two unpatched vulnerabilities in the popular Claude for Chrome browser extension developed by Anthropic. The flaws can be exploited by another malicious browser extension installed by the user to gain unauthorized access to their sensitive Google Workspace data. A malicious extension could programmatically instruct the Claude extension to read Gmail messages, access Google Docs, and view Google Calendar entries without the user's direct interaction. The vulnerabilities, first reported to Anthropic in May 2026, remain present in the latest version (1.0.801.0). The issue stems from a failure to validate the origin of user actions, creating a significant data privacy risk for users of the extension.


Vulnerability Details

The core of the vulnerability lies in a broken trust boundary within the extension's design. The Claude for Chrome extension has pre-approved prompts that allow it to perform actions on behalf of the user, such as summarizing recent emails or checking calendar availability. The flaw, discovered by Manifold Security, is that the extension's click handler does not properly verify whether a command was triggered by a legitimate user click or a synthetic click generated by a script from another extension.

This creates an exploit path where:

  1. A user installs the legitimate Claude for Chrome extension.
  2. The user also installs a separate, malicious extension (e.g., a seemingly harmless theme or utility).
  3. The malicious extension, running on the claude.ai domain, can inject a script that programmatically 'clicks' one of Claude's action buttons.
  4. The Claude extension, failing to validate the click's origin, executes the corresponding privileged action, such as reading the user's Gmail inbox.

Affected Systems

  • Product: Anthropic's Claude for Chrome browser extension (version 1.0.801.0 and potentially earlier).
  • Affected Platforms: Any user of Google Chrome with this extension installed.
  • Exposed Data: Google Workspace data, including Gmail, Google Docs, and Google Calendar.

Exploitation Status

These are unpatched vulnerabilities. While there is no public evidence of active exploitation in the wild, the public disclosure of the flaw details increases the risk that threat actors may develop and deploy malicious extensions to exploit it. The risk is significantly amplified for users who have configured the Claude extension with the "Act without asking" setting, as this would allow the malicious actions to be performed silently in the background without any user-facing confirmation prompt.

Impact Assessment

A successful exploit could lead to a serious breach of personal and corporate data. An attacker could silently exfiltrate the content of sensitive emails, confidential documents, and private calendar appointments. This information could be used for corporate espionage, blackmail, or to gather intelligence for more sophisticated follow-on attacks. The vulnerability undermines the trust model of browser extensions and the AI assistant itself, turning a productivity tool into a potential surveillance vector.


Cyber Observables — Hunting Hints

Detecting this specific attack is difficult for end-users. Enterprise security teams could hunt for related activity:

Type
other
Value
Suspicious Chrome Extension IDs
Description
Maintain a list of known malicious or risky Chrome extensions and hunt for their presence in your environment.
Context
EDR, Browser Management Tools
Type
network_traffic_pattern
Value
Anomalous data transfer from claude.ai
Description
If Claude is being controlled to exfiltrate data, it might result in unusual data patterns originating from its domain, though this would be hard to distinguish from normal use.
Context
Network Monitoring
Type
log_source
Value
Google Workspace Audit Logs
Description
Look for rapid, programmatic-looking access to multiple documents or emails by the Claude service account, especially outside of user's active hours.
Context
Google Workspace Admin Console

Detection Methods

  1. Browser Extension Auditing: In an enterprise environment, use browser management tools or EDR solutions to inventory all installed Chrome extensions across the user base. Compare the installed extensions against a list of known malicious or unwanted extensions.
  2. Monitor for Risky Configurations: Identify all users who have the Claude for Chrome extension installed and have enabled the "Act without asking" feature. These users are at the highest risk and should be prioritized for mitigation.
  3. Review Workspace Logs: Analyze Google Workspace audit logs for signs of anomalous data access by the Claude service principal. A script-driven attack might access dozens of emails or documents in a few seconds, a pattern unlikely to be generated by a human user.

Remediation Steps

  1. Disable the Extension: Until a patch is released by Anthropic, the most effective remediation is to disable or uninstall the Claude for Chrome extension.
  2. Disable "Act without asking": For users who must continue using the extension, immediately disable the "Act without asking" setting. This ensures that a confirmation prompt will be displayed before any action is taken, which would alert the user to a malicious attempt.
  3. Audit Installed Extensions: All users should regularly review their installed browser extensions and remove any that are not from a highly trusted developer or are no longer needed. Be particularly suspicious of extensions that require broad permissions.

Timeline of Events

1
May 1, 2026
Researchers at Manifold Security report the vulnerabilities to Anthropic.
2
July 7, 2026
Anthropic releases version 1.0.801.0 of the extension, which does not fix the reported flaws.
3
July 14, 2026
The vulnerabilities are publicly disclosed.
4
July 16, 2026
This article was published

MITRE ATT&CK Mitigations

Until a patch is available, the most effective mitigation is to disable or remove the vulnerable extension.

Mapped D3FEND Techniques:

Disabling the high-risk 'Act without asking' feature is a critical configuration change that can mitigate the highest-impact version of this attack.

Mapped D3FEND Techniques:

Using browser management policies to create an allowlist of approved extensions prevents users from installing the malicious extension needed to trigger the exploit.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The most immediate and effective countermeasure is to treat the vulnerable Claude for Chrome extension as unauthorized software until it is patched. In an enterprise environment, security teams should use their browser management solution (e.g., Google Admin, Microsoft Intune) or EDR platform to add the extension's ID (jiobchbmedjmdcbbdpkcecpkjaeniiap) to a denylist. This will forcibly disable or remove it from all managed browsers, completely eliminating the vulnerability from the environment. For unmanaged devices, users should be instructed to manually uninstall the extension immediately. This directly addresses the root cause by removing the vulnerable code.

For organizations or users who determine the risk of removal is too high for business operations, a critical harm reduction step is to enforce a secure configuration. The highest risk from this vulnerability comes from the 'Act without asking' feature. Users should be mandated to disable this setting immediately. This ensures that even if a malicious extension attempts to trigger one of Claude's actions, a confirmation prompt will appear, requiring user interaction. This turns a silent, automated attack into a noisy one that the user can deny and report, serving as a crucial mitigating control.

Timeline of Events

1
May 1, 2026

Researchers at Manifold Security report the vulnerabilities to Anthropic.

2
July 7, 2026

Anthropic releases version 1.0.801.0 of the extension, which does not fix the reported flaws.

3
July 14, 2026

The vulnerabilities are publicly disclosed.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

VulnerabilityBrowser ExtensionClaudeAnthropicGoogle WorkspaceData Privacy

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.