Skip to content
feed: live
>_ 0dayNews
browser
Analysis

Claude for Chrome flaw lets other extensions read Gmail

Manifold says the trust-boundary flaw behind ClaudeBleed is still open in Claude for Chrome v1.0.80 — eight releases after Anthropic's May fix.

kilobaud Dave "Kilobaud" Ferris · Published · 3 min read

Manifold Security published a disclosure on 2026-07-14 saying that two flaws they reported to Anthropic on 2026-05-21 against Claude for Chrome v1.0.72 are still present in v1.0.80, the release that shipped on 2026-07-07. The Hacker News, which walked through both findings the same day, says it independently verified them against the current build and found the relevant code “byte-for-byte identical” across the eight intervening releases.

The more consequential of the two — the one that carries a CVSS 9.6 in Claude’s “act without asking” mode and CVSS 7.7 in the default “ask before acting” mode — is not new in shape. It is the same trust-boundary problem that LayerX Security disclosed in late April as ClaudeBleed: the extension’s content script on claude.ai accepts messages from anything else running on that page without checking who actually sent them. In May, Anthropic responded to LayerX by narrowing what any such caller could ask for — nine fixed task IDs instead of arbitrary prompts. The underlying “we trust the origin, not the script” decision stayed in place. Manifold’s finding is that once you narrow yourself to those nine tasks, three of them still hand a caller Claude’s read access to the user’s Gmail, Google Docs, and Calendar.

The second flaw is smaller and more of an ambient risk than a live one: a URL parameter on the extension’s side panel that, if set, boots it into a skip-all-permissions mode. Only the extension itself sets that parameter today. Anthropic closed the report as “informative” on that basis, which is a defensible call for right now and a bad bet for the length of the product’s life — this is the kind of latent control-plane switch that, five vulnerabilities from today, one of the five turns into the pivot.

Anthropic’s response to the more serious report is worth reading in full: they closed the forged-click write-up because the problem was, in their words, “already tracked under the earlier ClaudeBleed report, which remains open pending a complete fix.” That is honest — they are not pretending it is fixed — and it is also, eight releases later, the entire problem. A trust-boundary decision that everyone (Anthropic, the two reporting firms, an outlet that reproduced the bug) agrees is the root cause is being carried by the product from release to release, week after week, and the mitigation shipped in May turns out to have narrowed the blast radius from “any prompt” to “your inbox, your docs, your calendar.” Narrower, still not narrow.

None of this needs an exploit walkthrough to matter, and I am not going to write one — Manifold’s post is public, LayerX’s earlier post is public, both walk the shape of the bug well enough for anyone who needs the technical depth to get it from the primary sources. What this newsroom writes down is the pattern. LLM-driven browser extensions live in the same page context as every other extension a user has ever installed, and the trust boundary between those extensions is enforced by the humans reviewing the store, not by the browser. Every LLM-in-the-browser product will have to pick where to draw a new boundary — origin, extension ID, message shape, all three — and every one that draws it lazily is going to relive this month.

The immediate practical read for anyone running Claude for Chrome in an environment with corporate Gmail attached: the “ask before acting” default is doing real work here. Leaving it on is the difference between CVSS 7.7 and CVSS 9.6 while Anthropic ships the complete fix.

Sourcing

Found this useful? Share it.