CYBERSECURITY researchers disclosed a vulnerability in Anthropic’s Claude Google Chrome Extension that could have allowed a malicious website to inject prompts into Claude without any user interaction, simply by visiting a page.
The flaw stems from an overly permissive origin allowlist that let any subdomain matching *.claude[.]ai send a prompt to Claude, alongside a DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component hosted on a-cdn.claude[.]ai, enabling arbitrary JavaScript execution in the context of that domain, according to Koi Security.
A threat actor could use this to deliver a prompt to the Claude extension via a hidden iframe and postMessage, with the attacker’s page embedding the vulnerable Arkose component and the victim seeing no notice. Following responsible disclosure on 27 December 2025, Anthropic patched the extension to enforce an exact origin match to claude[.]ai, while Arkose Labs fixed the XSS flaw on its side as of 19 February 2026.
The researchers warned that as AI browser assistants grow more capable, their security depends on the strength of their trust boundaries and their origin checks.