Security researchers have disclosed two unpatched vulnerabilities in the popular Claude for Chrome browser extension developed by Anthropic. The flaws can be exploited by another malicious browser extension installed by the user to gain unauthorized access to their sensitive Google Workspace data. A malicious extension could programmatically instruct the Claude extension to read Gmail messages, access Google Docs, and view Google Calendar entries without the user's direct interaction. The vulnerabilities, first reported to Anthropic in May 2026, remain present in the latest version (1.0.801.0). The issue stems from a failure to validate the origin of user actions, creating a significant data privacy risk for users of the extension.
The core of the vulnerability lies in a broken trust boundary within the extension's design. The Claude for Chrome extension has pre-approved prompts that allow it to perform actions on behalf of the user, such as summarizing recent emails or checking calendar availability. The flaw, discovered by Manifold Security, is that the extension's click handler does not properly verify whether a command was triggered by a legitimate user click or a synthetic click generated by a script from another extension.
This creates an exploit path where:
claude.ai domain, can inject a script that programmatically 'clicks' one of Claude's action buttons.These are unpatched vulnerabilities. While there is no public evidence of active exploitation in the wild, the public disclosure of the flaw details increases the risk that threat actors may develop and deploy malicious extensions to exploit it. The risk is significantly amplified for users who have configured the Claude extension with the "Act without asking" setting, as this would allow the malicious actions to be performed silently in the background without any user-facing confirmation prompt.
A successful exploit could lead to a serious breach of personal and corporate data. An attacker could silently exfiltrate the content of sensitive emails, confidential documents, and private calendar appointments. This information could be used for corporate espionage, blackmail, or to gather intelligence for more sophisticated follow-on attacks. The vulnerability undermines the trust model of browser extensions and the AI assistant itself, turning a productivity tool into a potential surveillance vector.
Detecting this specific attack is difficult for end-users. Enterprise security teams could hunt for related activity:
claude.aiUntil a patch is available, the most effective mitigation is to disable or remove the vulnerable extension.
Disabling the high-risk 'Act without asking' feature is a critical configuration change that can mitigate the highest-impact version of this attack.
Using browser management policies to create an allowlist of approved extensions prevents users from installing the malicious extension needed to trigger the exploit.
The most immediate and effective countermeasure is to treat the vulnerable Claude for Chrome extension as unauthorized software until it is patched. In an enterprise environment, security teams should use their browser management solution (e.g., Google Admin, Microsoft Intune) or EDR platform to add the extension's ID (jiobchbmedjmdcbbdpkcecpkjaeniiap) to a denylist. This will forcibly disable or remove it from all managed browsers, completely eliminating the vulnerability from the environment. For unmanaged devices, users should be instructed to manually uninstall the extension immediately. This directly addresses the root cause by removing the vulnerable code.
For organizations or users who determine the risk of removal is too high for business operations, a critical harm reduction step is to enforce a secure configuration. The highest risk from this vulnerability comes from the 'Act without asking' feature. Users should be mandated to disable this setting immediately. This ensures that even if a malicious extension attempts to trigger one of Claude's actions, a confirmation prompt will appear, requiring user interaction. This turns a silent, automated attack into a noisy one that the user can deny and report, serving as a crucial mitigating control.
Researchers at Manifold Security report the vulnerabilities to Anthropic.
Anthropic releases version 1.0.801.0 of the extension, which does not fix the reported flaws.
The vulnerabilities are publicly disclosed.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.