On Wednesday, security researchers at Manifold Security disclosed a high-severity vulnerability in the Claude in Chrome extension that could allow a malicious browser add-on to silently read your Gmail, access Google Docs, and peek at your calendar—all without your explicit consent. The flaw, which affects version 1.0.80 and possibly earlier, hinges on the extension’s inability to distinguish between a real user click and a synthetic one injected by another extension.

The Vulnerability Explained

The core issue lies in how Claude for Chrome handles task requests. When you use the extension, you can ask it to perform actions like “summarize my recent emails” or “add this event to my calendar.” For security, Anthropic added an allowlist of nine predefined tasks that external extensions can trigger, a mitigation after a prior incident dubbed ClaudeBleed. However, Manifold Security found that the extension’s content script on claude.ai listens for clicks on a page element to kick off those tasks, but it fails to verify that the click came from a human using a mouse or keyboard.

A rogue extension with the right permissions—specifically, the ability to execute code on the claude.ai domain—can craft a fake element, assign it one of the allowed task IDs, and dispatch a synthetic click event. Claude then obediently carries out the task as if you’d asked it yourself. The browser’s built-in event.isTrusted flag, which distinguishes genuine user interactions from scripted ones, was not checked.

This isn’t a flaw in Chrome itself, nor does it let any random website hijack your inbox. The attacker needs a separate extension already running scripts on claude.ai. But that’s exactly why this matters: the average Chrome user has dozens of extensions, many of which request broad access to “read and change data on all sites” or specific sites. A poorly vetted or compromised extension could become a launchpad for these attacks.

Why ‘Act Without Asking’ Amplifies the Danger

By default, Claude for Chrome operates in “Ask before acting” mode: even if a task is triggered automatically, you’ll see an approval dialog and must manually confirm. That provides a critical checkpoint. But the extension also offers an “Act without asking” mode (sometimes labeled “Skip all approvals” in settings) for users who want the AI to work autonomously in the background.

When that mode is enabled, any synthetic click that passes the allowlist check triggers the task silently. The researchers gave this scenario a CVSS severity rating of 9.6 out of 10, indicating critical risk. In practice, an attacker could make Claude read your latest Gmail messages, fetch a sensitive Google Doc, or extract your calendar appointments—all without a single prompt or notification.

Even in the default mode, the approval dialog can be socially engineered. Users accustomed to frequent prompts may not recognize that a particular request originated from a malicious extension rather than their own earlier command.

A Troubling History: From ClaudeBleed to Now

This isn’t the first time Claude in Chrome has faced trust-boundary problems. In early 2026, a researcher uncovered “ClaudeBleed,” a vulnerability that allowed any website to commandeer the AI agent via malicious prompts. Anthropic responded by locking down external access to a short allowlist of tasks, believing that the attack surface was contained.

The new findings show that the fix was incomplete. Manifold Security reported the synthetic-click issue and a related side-panel permission vulnerability to Anthropic on May 21, 2026. The company acknowledged both reports and later marked an internal tracking issue as “Resolved” by June 9. Yet when researchers tested version 1.0.80 on July 7, the flaws remained reproducible. The underlying code in the content script hadn’t changed since version 1.0.72. This gap between declared resolution and actual outcome echoes the earlier ClaudeBleed incident, raising concerns about Anthropic’s patch validation process.

What It Means for You

For individual users: If you’re a Claude subscriber running the Chrome extension, you need to assess your risk based on which extensions you’ve installed and whether you’ve enabled autonomous mode. The likelihood of a targeted attack may be low for casual users, but the potential damage is severe—an attacker could harvest private email content, access documents containing financial or health information, or gather intelligence from your calendar. Even if you trust all your extensions, a previously benign add-on could be updated or sold to a malicious actor.

For IT administrators and enterprises: The risk is magnified. Many organizations deploy Chrome with a fleet of extensions for productivity, security, and internal tools. An extension with seemingly limited permissions (e.g., one that modifies a single internal web app) could, if it has access to claude.ai scraps, serve as a beachhead to exploit Claude’s broad OAuth permissions. This renders traditional extension-permission reviews insufficient. A low-risk add-on can pivot through the AI agent to access high-value cloud assets. Corporate security teams must treat the Claude in Chrome extension as a high-trust component and apply rigorous controls around its usage, especially in environments handling sensitive data.

Immediate Steps to Protect Yourself

If you’re using Claude in Chrome, here’s what you should do now:

  1. Disable “Act without asking” (or “Skip all approvals”) immediately. Navigate to the extension’s settings and ensure Claude pauses for confirmation on every sensitive action. This restores the human-in-the-loop barrier and blocks silent attacks.
  2. Audit your Chrome extensions. Go to chrome://extensions, review every installed add-on, and remove any you no longer need. Pay special attention to extensions that have permission to “Read and change your data on claude.ai” or all sites. Be ruthless: fewer extensions mean a smaller attack surface.
  3. Use separate browser profiles for AI-assisted work. Consider creating a dedicated Chrome profile for using Claude in Chrome, one that doesn’t have other extensions installed or is logged into only essential services. This limits the blast radius if a rogue extension ever slips through.
  4. For enterprises: enforce extension whitelisting. Use Group Policy or endpoint management tools to block all but explicitly approved extensions, and verify that none of them can inject scripts on claude.ai unless absolutely necessary.
  5. Monitor for an official fix. Keep the extension updated, but also watch for a new version from Anthropic that directly addresses the synthetic-event validation and removes the URL-based permission mode. Do not re-enable autonomous mode until a verified patch is applied.

What to Watch For

Anthropic has not publicly commented on these specific findings as of this writing, but the company is likely working on a remediation. Previous incidents suggest they may release an update that properly checks event.isTrusted and refactors the side-panel permission model. Security-minded users can track the extension’s version history on the Chrome Web Store or follow Manifold Security’s blog for any confirmation of a fix.

In the broader picture, this incident highlights the emerging risks of AI browser agents that operate with high privileges: their security model must contend not just with websites but with the entire ecosystem of co-resident extensions. Expect calls for stronger isolation mechanisms and standardized API-level protections for AI-assisted browser actions.

Finally, use this as an opportunity to review your overall browser hygiene. Unwanted extensions, excessive permissions, and lack of profile separation are low-hanging fruit for attackers. A few minutes of cleanup now could prevent a major headache later.