
RESEARCHERS have disclosed a flaw in the Claude for Chrome browser extension that lets malicious add‑ons seize control of the assistant and access Gmail, Google Docs and calendar data without the user’s knowledge. The vulnerability, nicknamed ClaudeBleed, means a seemingly harmless extension can issue commands that the trusted assistant executes on behalf of the victim.
The issue stems from two related weaknesses in how Claude validates incoming messages from other extensions. One weakness allows a rogue add‑on to pretend to be a legitimate instruction, tricking the assistant into performing actions such as reading emails or drafting messages. The other weakness exists when the extension’s “Act without asking” mode is enabled, which removes the confirmation step and lets the malicious command run silently.
Although no CVE identifiers have been assigned to these problems, Manifold Security reported them to Anthropic on 21 May and noted that the most recent version of the extension still contains the flaws. No threat actors have been observed exploiting the issue in the wild, but the silent nature of the abuse makes it a prime candidate for espionage or data‑theft campaigns.
The discovery highlights a broader risk with browser extensions that request broad access to services like Gmail. When an extension trusts messages from any other add‑on without strong origin verification, it opens a channel for privilege escalation that can bypass typical user‑level controls.
Defenders should start by reviewing the permissions granted to Claude for Chrome and consider disabling the “Act without asking” setting within the extension’s options. Users ought to install add‑ons only from verified sources and periodically audit their extension list for any unfamiliar or suspicious entries.
Enterprise administrators can enforce extension allow‑lists through group policy or browser management tools, limiting which add‑ons may run in corporate environments. Monitoring outbound traffic for unexpected requests to Google endpoints can also help detect attempts to exfiltrate data via a compromised assistant.