Researchers at Manifold disclosed two unpatched vulnerabilities in Anthropic’s Claude for Chrome extension that can let a malicious browser extension trigger Claude actions and access sensitive Google Workspace content, including Gmail messages, Google Docs data and comments, and Google Calendar entries. The researchers said the flaws were reported in May and remained reproducible in version 1.0.80, with one issue allowing another extension that has script access on claude.ai to simulate a trusted user click and launch hardcoded Claude prompts on the victim’s behalf.
The weaknesses stem in part from Anthropic’s earlier mitigation for ClaudeBleed, which limited prompts to pre-approved tasks but did not verify that task-triggering clicks came from a real user. Manifold also identified a separate design flaw in which Claude’s side panel can enter a privileged no-confirmation mode through a URL parameter, creating a potential privilege-escalation path if a future bug allows outside control of that parameter. The risk is highest when users enable Claude’s “Act without asking” mode, because the extension may perform actions without visible consent prompts; Anthropic acknowledged the reports but had not issued fixes, saying one issue was already tracked internally and the other was not externally reachable.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Anthropic acknowledged Manifold's reports but did not ship fixes. According to the reporting, the company said one issue was already internally tracked and the other was not externally reachable.
Researchers at Manifold reported two vulnerabilities in Anthropic's Claude for Chrome extension in May 2026. The issues involved simulated trusted clicks that could trigger Claude actions and a side-panel no-consent mode reachable via a URL parameter.
Manifold reported that two vulnerabilities in Claude for Chrome remained exploitable despite eight subsequent releases, including version 1.0.80. The flaws could let a malicious extension trigger Claude actions and expose Gmail, Google Docs, and Google Calendar data, especially when 'Act without asking' is enabled.
Anthropic released Claude for Chrome version 1.0.80 on July 7, 2026. Manifold said both previously reported vulnerabilities were still reproducible in that release.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
malware.news
Open sourcecsoonline.com
Open sourcecysecurity.news
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourcesecurityweek.com
Open sourcemanifold.security
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.