Claude Chrome extension flaw lets malicious extensions trigger AI actions
A vulnerability in Anthropic's Claude Chrome extension allows malicious browser extensions to trigger predefined AI workflows by simulating user clicks without verifying their authenticity. This flaw enables abuse of Claude's access to connected services such as Gmail, Google Docs, Google Calendar, and Salesforce. The attack requires a malicious extension installed by the user and is limited to nine predefined tasks. The vulnerability does not permit arbitrary prompt injection or direct compromise of the Claude extension. The issue remains present in version 1.0.80 of the extension as of July 7, 2026. Anthropic acknowledged the report and is tracking it as part of a broader issue. A second informational finding related to permission bypass exists but is not directly exploitable alone.
AI Analysis
Technical Summary
The Claude Chrome extension listens for click events on specific page elements to trigger predefined AI workflows that interact with connected services like Gmail and Salesforce. It fails to verify the Event.isTrusted property, which distinguishes real user clicks from synthetic JavaScript-generated events. A malicious extension with permission to run on claude.ai can inject elements and generate synthetic clicks, causing Claude to execute these workflows without user consent. The flaw is limited to nine built-in tasks and requires a malicious extension installed by the user. The vulnerability was reported by Manifold Security and remains reproducible in version 1.0.80. Anthropic has acknowledged the issue and closed the synthetic-click report, tracking it as part of a broader problem. A second issue involving an internal skipPermissions=true parameter was also reported but deemed informational and not directly exploitable.
Potential Impact
A malicious browser extension can abuse the Claude extension's authenticated access to connected services by triggering predefined AI workflows without genuine user interaction. This could lead to unauthorized reading, modification, or creation of data in services such as Gmail, Google Docs, Google Calendar, and Salesforce, depending on the user's Claude extension configuration and permission settings. The impact is limited to the nine predefined tasks and requires the user to install a malicious extension with permissions on claude.ai. There is no indication of arbitrary code execution or prompt injection beyond these tasks.
Mitigation Recommendations
Anthropic has acknowledged the vulnerability and is tracking it as part of a broader issue. As of July 7, 2026, the flaw remains reproducible in version 1.0.80 of the Claude Chrome extension. No official patch or fix has been confirmed yet. Users should exercise caution when installing browser extensions, especially those requesting permissions on claude.ai. Monitor vendor advisories for updates and apply official fixes once available. Avoid enabling the 'Act without asking' setting in Claude to reduce risk of automated unauthorized actions.
Claude Chrome extension flaw lets malicious extensions trigger AI actions
Description
A vulnerability in Anthropic's Claude Chrome extension allows malicious browser extensions to trigger predefined AI workflows by simulating user clicks without verifying their authenticity. This flaw enables abuse of Claude's access to connected services such as Gmail, Google Docs, Google Calendar, and Salesforce. The attack requires a malicious extension installed by the user and is limited to nine predefined tasks. The vulnerability does not permit arbitrary prompt injection or direct compromise of the Claude extension. The issue remains present in version 1.0.80 of the extension as of July 7, 2026. Anthropic acknowledged the report and is tracking it as part of a broader issue. A second informational finding related to permission bypass exists but is not directly exploitable alone.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Claude Chrome extension listens for click events on specific page elements to trigger predefined AI workflows that interact with connected services like Gmail and Salesforce. It fails to verify the Event.isTrusted property, which distinguishes real user clicks from synthetic JavaScript-generated events. A malicious extension with permission to run on claude.ai can inject elements and generate synthetic clicks, causing Claude to execute these workflows without user consent. The flaw is limited to nine built-in tasks and requires a malicious extension installed by the user. The vulnerability was reported by Manifold Security and remains reproducible in version 1.0.80. Anthropic has acknowledged the issue and closed the synthetic-click report, tracking it as part of a broader problem. A second issue involving an internal skipPermissions=true parameter was also reported but deemed informational and not directly exploitable.
Potential Impact
A malicious browser extension can abuse the Claude extension's authenticated access to connected services by triggering predefined AI workflows without genuine user interaction. This could lead to unauthorized reading, modification, or creation of data in services such as Gmail, Google Docs, Google Calendar, and Salesforce, depending on the user's Claude extension configuration and permission settings. The impact is limited to the nine predefined tasks and requires the user to install a malicious extension with permissions on claude.ai. There is no indication of arbitrary code execution or prompt injection beyond these tasks.
Mitigation Recommendations
Anthropic has acknowledged the vulnerability and is tracking it as part of a broader issue. As of July 7, 2026, the flaw remains reproducible in version 1.0.80 of the Claude Chrome extension. No official patch or fix has been confirmed yet. Users should exercise caution when installing browser extensions, especially those requesting permissions on claude.ai. Monitor vendor advisories for updates and apply official fixes once available. Avoid enabling the 'Act without asking' setting in Claude to reduce risk of automated unauthorized actions.
Threat ID: 6a5931d268715ace43963904
Added to database: 07/16/2026, 19:32:34 UTC
Last enriched: 07/16/2026, 19:32:47 UTC
Last updated: 07/16/2026, 23:03:08 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.