VYPR
researchPublished May 8, 2026· Updated May 17, 2026· 1 source

'ClaudeBleed' Vulnerability Allows Hijacking of Claude AI Agent via Chrome Extensions

A vulnerability in the Claude Chrome extension allows malicious extensions to hijack the AI agent, bypass security prompts, and perform unauthorized actions on behalf of the user.

A critical security vulnerability in the Claude extension for Chrome, identified by cybersecurity firm LayerX, allows unauthorized actors to hijack the AI agent and perform malicious actions on behalf of the user. Dubbed "ClaudeBleed," the flaw stems from a combination of overly permissive access controls and a failure to properly verify the execution context of commands sent to the extension SecurityWeek.

The technical mechanism behind ClaudeBleed relies on the extension's tendency to trust the origin of a command rather than the specific context from which it originates. Specifically, the Claude extension allows any script running within the claude.ai origin to issue privileged commands. An attacker can exploit this by creating a malicious Chrome extension that injects a content script into the page. Because the Claude extension assumes any message originating from the claude.ai environment is legitimate, it processes these arbitrary prompts without sufficient validation SecurityWeek.

By leveraging this trust, an attacker can perform remote prompt injection to manipulate the AI agent. Although Claude includes built-in security measures—such as mandatory user confirmation for sensitive actions and policies restricting certain behaviors—LayerX demonstrated that these protections can be bypassed. Attackers can forge user approval by repeatedly sending confirmation requests and use Document Object Model (DOM) manipulation to alter the UI, effectively tricking the AI into perceiving malicious actions as authorized user requests SecurityWeek.

The impact of this vulnerability is significant, as it effectively undermines Chrome’s extension security model. By exploiting this flaw, a zero-permission extension can inherit the full capabilities of the Claude AI assistant. This allows an attacker to exfiltrate sensitive data from connected services like Gmail, GitHub, and Google Drive. Furthermore, attackers could potentially send emails, delete files, or share documents, all while operating under the guise of the legitimate user SecurityWeek.

In response to the disclosure, Anthropic implemented a patch designed to prevent extensions running in "standard" mode from executing remote commands. However, LayerX reports that this fix is incomplete because it fails to address the root cause of the vulnerability. An attacker can circumvent the patch by switching the malicious extension to "privileged" mode—a change that occurs without user notification or consent SecurityWeek.

This vulnerability highlights the growing security challenges associated with AI agents that have deep integrations into browser environments. As AI tools gain the ability to interact with sensitive user data and perform cross-platform actions, the security of the extensions facilitating these connections becomes a critical attack vector. Users should remain cautious of the extensions they install, as even those with seemingly benign permissions can be weaponized to compromise highly privileged AI assistants SecurityWeek.

Synthesized by Vypr AI