Unpatched ClaudeBleed Flaw Hijacks Chrome Extension Agents
A vulnerability in the Claude for Chrome extension allows malicious third-party scripts to bypass security prompts and exfiltrate connected data.
A critical, unpatched vulnerability in Anthropic’s Claude for Chrome extension allows malicious third-party scripts to hijack the AI and execute unauthorized actions. Disclosed by Manifold Security and detailed in a recent security report, the flaw affects versions up to 1.0.80. The exploit, known as ClaudeBleed, bypasses standard user interaction safeguards to extract data from connected services like Gmail, Google Drive, and GitHub.
Synthetic Clicks and Privilege Escalation
Attackers leverage a combination of DOM manipulation and synthetic click exploitation. The extension fails to properly validate the isTrusted property on click events originating from the claude.ai web origin. This allows a malicious extension with zero special permissions to inject JavaScript and simulate trusted user clicks on the interface.
To bypass state-based security prompts, attackers append a hidden ?skipPermissions=true URL parameter. This places the extension into a privileged “Hands-off” mode designed for unattended multi-step tasks. If any confirmation dialogs do appear, the malicious script initiates an approval loop, automatically clicking through the warnings. The script can also dynamically rename critical interface buttons, tricking the AI into executing destructive actions under benign labels.
Scope and Impact
The vulnerability exposes sensitive data from services connected to the Claude extension. Researchers demonstrated that a malicious extension can force Claude to act as a confused deputy, executing commands against authenticated sessions.
| Service | Exploited Capability |
|---|---|
| Gmail | Read, summarize, forward, or delete emails |
| Google Drive/Docs | Access, read, and share restricted documents |
| Google Calendar | View and modify private schedules |
| GitHub | Clone and exfiltrate private repositories |
| Salesforce | Access and export customer data |
If you automate desktop workflows using browser-based AI tools, this represents a major access risk. Anthropic has updated its safety documentation to acknowledge that prompt injection and novel attacks can bypass evaluations, but the core vulnerability remains unpatched after eight consecutive releases. Security researchers note the extension only validates the web origin rather than the execution context of the script.
If you deploy browser-based AI assistants, you must isolate the extension environment from untrusted third-party add-ons. Disable the Claude extension in browser profiles used for handling sensitive enterprise accounts until a context-aware patch is released.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
How to Integrate Claude Code into Large Legacy Codebases
Learn how to integrate Claude Code into massive legacy projects using incremental context and the new native binary features in version 2.1.119.
CVE-2026-42824 Grants 1-Click Data Theft via M365 Copilot
Varonis researchers disclosed SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot enabling 1-click exfiltration of enterprise data.
NATO and 150 Global Partners Deploy Claude Mythos Preview
Anthropic is deploying its restricted Claude Mythos Preview model to 150 critical infrastructure organizations across 15 countries to secure core codebases.
Anthropic Builds CLUE Threat Detection Platform in One Week
Anthropic's internal security team used Claude Code to develop and deploy CLUE, a natural language threat detection platform, in just seven days.
CVE-2026-42208: Pre-Auth SQLi Actively Exploited in LiteLLM
Threat actors are exploiting a critical pre-authentication SQL injection in the LiteLLM proxy to exfiltrate master API keys and cloud provider credentials.