A critical security flaw in Anthropic's "Claude in Chrome" browser extension — dubbed ClaudeBleed by the researchers who discovered it — allows any other Chrome extension, even one with zero permissions, to take full control of Claude's AI capabilities and perform actions on behalf of the user without their knowledge. The flaw, rated CVSS (Common Vulnerability Scoring System) 10.0 (the maximum possible severity score), was discovered by browser security firm LayerX, which disclosed it to Anthropic on April 27, 2026. Anthropic released a partial fix in extension version 1.0.70 on May 6, 2026, but LayerX's researcher bypassed the patch within three hours. As of May 8, 2026, the core trust model vulnerability remains unresolved.
ClaudeBleed: Technical Details
The "Claude in Chrome" extension (version 1.0.69, released April 22, 2026) enables users to interact with Anthropic's Claude AI assistant while browsing the web, giving it the ability to read page content, interact with browser contexts, and take agentic actions (performing multi-step tasks autonomously on the user's behalf — such as composing emails, accessing cloud storage, or navigating websites).
The vulnerability stems from a trust boundary failure in how the extension mediates communication between external scripts and the Claude LLM (Large Language Model — the underlying AI system powering Claude). The extension's architecture allows scripts running within the browser context — including scripts injected by other extensions — to send messages to the Claude extension and issue commands to the underlying LLM without any verification of the message source.
In Chrome's extension security model, extensions are supposed to be isolated from each other. A malicious extension should not be able to read the private state or interact with the internals of a different extension. ClaudeBleed breaks this isolation: because the Claude extension does not verify that incoming messages originate from trusted, Claude-specific sources, any other Chrome extension can inject a content script and relay arbitrary instructions to Claude.
Critically, a malicious attacker extension requires zero permissions — not even the ability to read tabs or access browsing history. The attack works purely through Chrome's standard inter-extension messaging APIs that any extension can use without special permission grants.
The attack surface exposed by ClaudeBleed includes everything Claude is capable of doing for an authenticated user:
- Reading and exfiltrating emails from web-based email clients the user has open
- Accessing and downloading files from Google Drive or other cloud storage services visible in the browser
- Reading and exfiltrating content from private GitHub repositories the user is browsing
- Submitting forms, posting content, or taking agentic browser actions on arbitrary sites
LayerX assigned this vulnerability a CVSS 10.0 score based on CVSS v3.0 and v4.0 assessment — the maximum possible rating, reflecting: remote exploitability, no authentication required for the attacking extension, no user interaction required (zero-click), complete confidentiality and integrity impact, and availability impact.
Anthropic was notified on April 27, 2026. Anthropic confirmed the issue had already been identified internally and stated it would be addressed in an upcoming release.
Exploitation Status and Threat Landscape
Anthropic released version 1.0.70 on May 6, 2026. LayerX's principal security researcher reviewed the patch and found it only partially mitigated the attack surface. Two bypass vectors remain:
- "Act without asking" mode: When Claude is configured to operate autonomously without prompting the user for confirmation, the patch's new trust checks are bypassed because the extension is already in an unconstrained execution mode that accepts broader commands.
- Alternative side-panel execution flows: The extension has a secondary code path for side-panel rendering that does not apply the same sender verification logic as the main content script path, restoring autonomous behavior for a sufficiently crafted injection.
LayerX confirmed the bypass within three hours of the patch's release and disclosed the details to Anthropic. At time of publication, Anthropic has not released an additional fix.
There is no CVE number formally assigned to ClaudeBleed. Anthropic has not published a public security advisory. It is not known whether the vulnerability has been exploited in the wild by malicious extensions distributed through the Chrome Web Store, though the technical preconditions (a malicious extension with zero permissions) are trivially achievable by any extension developer.
The risk is compounded by the growth of agentic AI use cases. As users grant AI browser extensions access to more sensitive web contexts — email, financial accounts, code repositories, SaaS platforms — the blast radius of a hijacked AI assistant increases proportionally. ClaudeBleed represents a concrete example of how the trust model for AI-integrated browser tools has not kept pace with the capabilities being granted to them.
Who Is Affected
Any user who:
- Has installed the "Claude in Chrome" extension (version 1.0.69 or earlier, and partially 1.0.70 if using "Act without asking" mode)
- Is logged in to their Anthropic account within the browser session
- Has any other Chrome extension installed (all extensions can send inter-extension messages by default)
The affected extension was downloaded from the Chrome Web Store and is available to all Chrome and Chromium-based browser users globally (Chrome, Edge, Brave, Vivaldi). LayerX did not disclose the total installed user base, but Chrome extension usage among developers and security professionals using Claude for agentic browser automation is significant.
What You Should Do Right Now
- Update the Claude in Chrome extension. Open
chrome://extensions, find the Claude extension, and click Update to ensure you are running at least version 1.0.70. While the patch is incomplete, it does reduce the attack surface for the simplest exploitation paths. - Disable "Act without asking" mode. In the Claude extension settings, switch from autonomous operation to confirmation-required mode. This is the single highest-impact mitigation available without disabling the extension entirely, as it removes the primary bypass vector identified in the partial patch.
- Audit other installed extensions. Review all installed Chrome extensions and remove any that are not actively used. Extensions from unknown publishers or with minimal review histories represent elevated risk in the context of ClaudeBleed.
- Avoid using Claude in high-sensitivity browser sessions. Until a complete fix is released, avoid using the Claude Chrome extension in browser sessions where you are simultaneously logged in to email, financial services, or code repositories containing sensitive intellectual property.
- Monitor the LayerX disclosure page and Anthropic's security advisories. Track LayerX's blog for updates on patch status. Anthropic's security page is at anthropic.com/security.
Background: Understanding the Risk
ClaudeBleed is part of a broader and accelerating category of security research focused on AI agent hijacking — attacks that redirect an AI assistant's actions from serving the legitimate user to serving an attacker. As AI tools become capable of taking consequential real-world actions (sending messages, accessing files, executing code), the security model protecting those capabilities becomes critical infrastructure in its own right.
Browser extensions represent a particularly fertile attack surface for AI hijacking because: (1) browsers are where users conduct their most sensitive work; (2) the Chrome extension ecosystem has millions of published extensions with inconsistent review standards; and (3) the Chrome permission model was designed for an era when extensions accessed static page content, not controlled live AI agents.
The ClaudeBleed research builds on earlier work in "prompt injection" attacks — where malicious content embedded in a webpage hijacks an AI reading that page and redirects it. ClaudeBleed, however, does not require the attacker to plant malicious content anywhere the user visits; the attack runs entirely within the browser's extension layer, making it invisible to network monitoring and independent of user browsing behavior.
Anthropic is not unique in facing this class of vulnerability. Any AI browser extension that performs agentic actions on behalf of users — whether from OpenAI, Google, or other providers — must grapple with the same fundamental trust boundary problem: the extension must distinguish between legitimate user commands and injected attacker commands, in an environment (the browser) specifically designed for cross-origin communication.
Conclusion
ClaudeBleed is a maximum-severity (CVSS 10.0) vulnerability in Anthropic's Claude Chrome extension that allows any other extension to hijack Claude and exfiltrate sensitive user data. Update to version 1.0.70, disable "Act without asking" mode, and audit your installed extensions immediately. A complete fix has not yet been released; treat agentic AI browser access as elevated-risk until Anthropic issues a full resolution.
For any query contact us at contact@cipherssecurity.com
