Security researchers at Manifold disclosed two unpatched vulnerabilities in Claude for Chrome — Anthropic’s browser extension that functions as an AI agent capable of taking actions on web pages — that allow a malicious browser extension installed in the same browser to silently invoke Claude’s capabilities without the user’s knowledge. The vulnerabilities affect access to Gmail messages, Google Docs documents, and Google Calendar entries. Anthropic had not addressed the flaws across eight subsequent extension releases following Manifold’s initial report on May 21.
How the Manifold-Disclosed Flaw Lets Extensions Invoke Claude Without Consent
Claude for Chrome operates as an AI agent with elevated permissions to read and interact with web pages the user visits, including web-based services such as Gmail and Google Docs. The vulnerabilities Manifold disclosed center on the mechanism Claude for Chrome uses to activate and execute tasks: that mechanism does not verify whether an invocation originated from a genuine user action or was programmatically triggered by another browser extension.
A malicious Chrome extension installed alongside Claude for Chrome can exploit this gap to silently invoke Claude’s agent capabilities without generating any visible prompt or requiring user interaction. Because Claude for Chrome has permission to read any web-based content the user can access, an attacker with a malicious extension installed in the victim’s browser can direct Claude to read Gmail messages, access Google Docs contents, and retrieve Google Calendar entries — all without the user observing any action being taken in the browser.
How the Extension-to-Extension Invocation Defeats Anthropic’s ClaudeBleed Mitigation
The vulnerability stems from an incomplete fix to “ClaudeBleed,” an earlier vulnerability in Claude for Chrome that Anthropic had previously addressed. The ClaudeBleed fix restricted which prompts external webpages could feed into Claude — specifically, it prevented arbitrary web content from injecting instructions into the Claude agent through page-level manipulation. That mitigation addressed the web-page-to-agent vector but did not address the extension-to-extension invocation path.
Manifold’s research demonstrated that a malicious browser extension, operating with its own extension permissions within the browser, can invoke Claude for Chrome through a channel that Anthropic’s earlier mitigation did not cover. Browser extensions and web pages represent distinct permission contexts in Chrome’s architecture: the page-level restriction Anthropic implemented does not apply to extension-to-extension communication, leaving a gap that Manifold’s disclosed vulnerabilities occupy.
Gmail, Google Docs, and Google Calendar Data Exposed to Silent Agent Invocation
An attacker who delivers a malicious Chrome extension to a victim who has Claude for Chrome installed can read incoming and stored Gmail messages, extract content from Google Docs documents the user has open or accessible, and retrieve Google Calendar entries including meeting details, invitees, and attached information. Claude for Chrome’s agent capabilities — designed to let users delegate browsing and web-service tasks to the AI — become the mechanism through which an attacker silently accesses that same data.
The attack model requires that the victim have both a malicious browser extension and Claude for Chrome installed in the same browser profile. Malicious Chrome extensions reaching users through social engineering or compromised extension listings are a documented and recurring attack vector. For users with Claude for Chrome installed, the presence of a malicious extension would carry additional data exposure risk beyond the extension’s own permissions because of the agent invocation vulnerability.
Eight Patch Releases Without a Fix Since Manifold’s May 21 Report
Manifold reported the vulnerabilities to Anthropic on May 21, 2026. Between that date and Manifold’s July 14 public disclosure, Anthropic released eight subsequent versions of the Claude for Chrome extension, reaching version 1.0.80. None of those releases addressed the disclosed vulnerabilities, according to Manifold’s research. Anthropic had not issued a public statement in response to the disclosure at the time of publication.
The persistence of the vulnerability across eight patch releases after a formal report raises questions about Anthropic’s security patch triage process for its browser agent products. Claude for Chrome is distinct from Anthropic’s API-based products and server-side services; it is a browser extension with client-side code running inside users’ browsers with access to their web sessions. The patch cadence for a product in this category — which handles live authenticated web sessions across sensitive platforms — carries a different urgency profile than backend service patches. Users who have Claude for Chrome installed alongside other extensions should be aware that the vulnerabilities remain unpatched as of Manifold’s July 14 disclosure.
