VYPR
advisoryPublished Jul 14, 2026· 1 source

Anthropic's Claude for Chrome Extension Vulnerable to Data Theft

Two unpatched vulnerabilities in Anthropic's Claude for Chrome extension allow attackers to access sensitive user data from Gmail, Google Docs, and Calendar.

Anthropic's popular Claude for Chrome browser extension harbors two critical, unpatched vulnerabilities that could allow malicious actors to access sensitive user data, including emails, documents, and calendar entries. Researchers at Manifold first reported these flaws in May 2026, yet they remain exploitable even in the extension's latest version, v1.0.80, released on July 7, 2026. The implications are severe, as a mere six lines of JavaScript could be sufficient to trigger the vulnerabilities.

The first vulnerability resides within Claude's content script. This script is designed to detect clicks on a specific onboarding button and relay a corresponding prompt to Claude's side panel. However, the script fails to verify if a click event is genuinely user-initiated, specifically by checking the event.isTrusted property. Consequently, any other browser extension with script access to the claude.ai domain—a common permission—can forge a click event. This allows the malicious extension to trigger one of nine hardcoded prompts within Claude without the user's explicit consent or knowledge. Three of these prompts are particularly concerning, instructing Claude to read Gmail and interact with emails, access and read comments from the user's latest Google Doc, or scan Google Calendar to create meetings.

When Claude operates in its default "Ask before acting" mode, users would typically see an approval popup before any action is taken. However, if the "Act without asking" setting is enabled, Claude executes these sensitive actions silently. This silent execution, combined with the potential for broad data access, has earned this specific attack vector a CVSS score of 9.6, classifying it as Critical. The researchers provided a visual representation of the attack chain, highlighting the ease with which this exploit could be chained.

The second vulnerability is structural and relates to how Claude's side panel handles permissions. The side panel can enter a privileged, no-consent mode if it loads a URL containing the specific parameter ?skipPermissions=true. This state can be entered without any user gesture. While a warning banner does appear, it is displayed only after the privileged mode is already active, rendering it ineffective as a preventative measure. Currently, this particular vulnerability is not directly exploitable by external attackers because only the extension itself can construct such a URL. However, researchers warn that this presents a significant future risk. Any subsequent bug, such as a new message handler, a cross-site scripting (XSS) flaw, or a regression that allows external code to generate this specific URL, could instantly grant silent, full-account access to user data.

Both identified issues align with recognized security risks for Large Language Model (LLM) applications, as outlined in the OWASP Top 10 for LLM Applications. The first vulnerability falls under prompt injection (LLM01), where malicious input manipulates the LLM's behavior. The second relates to excessive agency (LLM06), where the LLM is granted more permissions or capabilities than necessary, leading to potential misuse.

Anthropic has acknowledged the reports, with researchers noting that the company responded within a day. However, Anthropic closed the reports without implementing fixes, arguing that the synthetic-click issue was already covered by an internal report and that the URL parameter did not pose an externally reachable risk. Despite Anthropic marking the underlying tracking issue as "Resolved" before June 9, Manifold researcher Ax Sharma re-verified on July 7 that the code responsible for the vulnerability remains unchanged. This situation echoes a previous incident, dubbed "ClaudeBleed," where an announced fix for a vulnerability proved to be incomplete, raising further concerns about how AI browser extensions manage trust boundaries between third-party scripts and their own privileged actions.

The lack of timely patches for these critical vulnerabilities, especially given their potential to expose sensitive user data, highlights a growing challenge in securing AI-powered browser extensions. Users who rely on Claude for Chrome are advised to exercise caution and consider disabling the extension until Anthropic addresses these security concerns definitively. The ongoing exploitation of AI-related vulnerabilities underscores the need for robust security practices and diligent patching by AI service providers.

Synthesized by Vypr AI