ClaudeBleed: Claude for Chrome Lets Rogue Extensions Read Gmail Security researchers at Manifold Security disclosed a trust-boundary flaw in Anthropic's Claude for Chrome extension that lets rogue extensions read Gmail, Google Docs, and Calendar. The vulnerability, a confused-deputy problem, remains unpatched across eight releases since the May 21 report, despite a one-line fix. The severity ranges from 7.7 High to 9.6 Critical depending on user settings. Claude for Chrome reached general availability on July 1. Thirteen days later, security researchers at Manifold Security confirmed a trust-boundary flaw in the extension lets any rogue Chrome extension silently read your Gmail, Google Docs, and Calendar — and the fix is one line of code that Anthropic still has not shipped across eight subsequent releases. A Six-Line Attack, a One-Line Fix The vulnerability is a textbook confused-deputy problem. Claude for Chrome has real authority — access to your Google accounts, Salesforce, whatever you’ve connected — but a design flaw lets a malicious Chrome extension impersonate you and invoke that authority without your knowledge. Here’s the mechanism: the extension’s click handler listens for clicks on a specific page element and reads a task ID attribute to decide which of nine hardcoded prompts to fire. The problem is that the handler never checks event.isTrusted — the browser flag that is true for genuine user clicks and false for JavaScript-generated synthetic events. Any other extension with DOM access on claude.ai a very common permission can inject a fake button, set a task ID, and dispatch a synthetic click. Claude treats it as a legitimate request and executes the task. Manifold Security’s researchers https://www.manifold.security/blog/claude-for-chrome-extension-bypass demonstrated the full attack chain in six lines of JavaScript. Their proposed fix from the disclosure? Add if n.isTrusted return; at the top of the click handler. Synthetic clicks rejected. Real user clicks unaffected. One line. Eight releases since the report — it still isn’t there. What’s Actually at Risk The nine hardcoded tasks span a meaningful slice of your work life. The three Google integrations are the headline risk: Claude can be tricked into reading your Gmail and in Act-without-asking mode, drafting and sending emails as you , reading your Google Docs comments, and viewing your Calendar and creating events. Salesforce lead modification is also on the list. The severity depends on your settings. With Claude’s default confirmation dialogs enabled, the CVSS score sits at 7.7 High — serious, but a malicious extension still has to trigger the flow and you’d see a prompt. If you’ve turned on “Act without asking” mode which Anthropic markets as a power-user feature for agentic workflows , the CVSS jumps to 9.6 Critical. No dialogs. Silent execution. The attacker’s extension fires, Claude reads your inbox, done. The Timeline Is the Story Manifold Security reported both bugs on May 21, 2026. Anthropic acknowledged within a day and closed the reports — characterizing the synthetic click issue as already tracked by “existing internal documentation.” On June 9, Anthropic internally marked the broader issue as “resolved.” On July 7, Claude for Chrome v1.0.80 shipped, and the researchers checked: the vulnerable code was byte-for-byte identical to v1.0.72, the build where they first found it. Bleeping Computer https://www.bleepingcomputer.com/news/security/claude-chrome-extension-flaw-lets-malicious-extensions-trigger-ai-actions/ and The Hacker News https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html both confirmed the public disclosure on July 14. “Resolved” is doing a lot of heavy lifting in that response. To be clear, Anthropic’s June mitigation did accomplish something — they added a task ID allowlist that restricts which nine prompts can be invoked. That addresses what a rogue extension can ask Claude to do. It does not address who gets to ask. The confused-deputy flaw — a malicious extension impersonating the user — remains. There’s Also a Second Bug Manifold’s report covered a second issue: Claude’s side panel enters unrestricted mode when launched with ?skipPermissions=true appended to its URL. In that mode, the panel skips all confirmation dialogs from the start. Currently, only the extension itself constructs that URL, so there’s no direct external exploitation path today. But it’s a latent risk. Any future regression — an XSS flaw in the options page, a URL-accepting message handler, a panel-building bug — could chain the privilege escalation into a fully silent account compromise. The researchers called it a ticking time bomb. The framing is apt. What to Do Right Now Three things, in order of priority: Disable “Act without asking.” Go to Claude for Chrome settings and turn off autonomous mode. This drops the attack severity from Critical to High and restores confirmation dialogs, giving you a chance to spot unexpected activity. Audit your Chrome extensions. Open chrome://extensions , expand each extension’s permissions, and check for anything with access to all sites or specifically to claude.ai. Extensions you don’t recognize or actively use should go. Consider disabling Claude for Chrome on sensitive machines. If you run Claude Code on a workstation that’s also logged into a corporate Gmail, Docs environment, or Salesforce account, that’s an elevated-risk configuration until a patch ships. A browser without the extension can’t be the confused deputy. Watch Anthropic’s changelog for v1.0.81 or later. The fix is known and minimal — when it ships, the upgrade is worth doing immediately. Until then, the extension’s trust surface is wider than most users realize. The Larger Point AI browser agents are expanding their footprint quickly. Claude Code’s browser integration, designed to let developers run build-test-fix loops without leaving their IDE, is genuinely useful. But the more authority an agent accumulates — screen read, click execution, account access — the more critical it becomes to get trust boundaries right at the design level. The confused-deputy problem has been a known vulnerability class for decades. The browser has provided event.isTrusted specifically to prevent synthetic-click abuse. Shipping without checking it — and then taking two months to apply the one-line fix after researchers report it — is the kind of gap that erodes trust in AI tooling faster than any benchmark can rebuild it.