Security researchers at Manifold Security have disclosed two unpatched vulnerabilities in Anthropic’s Claude for Chrome browser extension that could allow other browser extensions to read a victim’s Gmail messages, Google Docs, and Calendar data without authorization.
The first flaw, rated CVSS 7.7 in default mode and 9.6 Critical when users enable “Act without asking” automation, involves a content script that accepts synthetic click events. Any other extension with access to the claude.ai domain can forge a click on a hidden button to trigger Claude to read Gmail, the latest Google Doc, or Calendar entries. The extension never checks the browser’s event.isTrusted flag that distinguishes real user clicks from scripted ones.
Anthropic previously restricted arbitrary prompts in response to the ClaudeBleed vulnerability in May 2026, but the new bypass leaves the fixed set of nine allowlisted tasks still triggerable. Three of those tasks — usecase-gmail, usecase-gdocs, and usecase-calendar — handle sensitive user data.
In the default “ask before acting” mode, the forged task still requires a user to click an approval box. However, users who enabled “Act without asking” mode have no such protection. Manifold demonstrated the attack using six lines of JavaScript pasted into the claude.ai console.
A second, quieter flaw involves a skipPermissions parameter that could bypass the approval step entirely if reached. The vulnerabilities affect Claude for Chrome v1.0.80 and earlier. Users should disable “Act without asking” mode and review which extensions have permission to access claude.ai.
