A security weakness in Anthropic’s Claude for Chrome browser extension allows malicious browser extensions to execute predefined AI workflows without genuine user interaction. By failing to verify whether a user’s click is authentic, the extension can be tricked into performing actions such as reading private data from Gmail, Google Docs, and Google Calendar, or manipulating business workflows in Salesforce. The vulnerability was identified by researchers at Manifold Security, who reported the issue to Anthropic in May 2026. According to Manifold, the flaw remains reproducible in Claude for Chrome version 1.0.80, which was released on July 7, 2026.
The Mechanism of the “ClaudeBleed” Flaw
The security gap, referred to as “ClaudeBleed,” centers on how the extension handles interactions with page elements designed to launch built-in AI workflows. Under normal circumstances, web applications can verify the legitimacy of a user’s action by checking the `isTrusted` property of an event. A physical mouse click or key press generates a “trustedevent, while an interaction generated by JavaScript is marked as
untrusted.”
Manifold researchers discovered that the Claude for Chrome extension fails to check this `isTrusted` signal. Consequently, an attacker who successfully persuades a victim to install a malicious browser extension—one with permission to run code on the `claude.ai` domain—can programmatically generate a synthetic click. The Claude extension treats this synthetic interaction as a valid user request, allowing the malicious extension to drive the AI assistant’s behavior behind the scenes.

Potential Impact and Scope
While this attack does not provide an attacker with the ability to submit arbitrary prompts or take total control of the Claude interface, it grants them access to a hardcoded list of nine specific workflows. The consequences of an attack depend heavily on the user’s configuration. Manifold assigned the issue a CVSS score of 7.7 under default approval settings, but that score increases to 9.6 when the user has enabled Claude’s optional Act without asking
mode. In this mode, sensitive operations may proceed without requiring an additional confirmation step from the user.
Broader Security Context for AI Agents
The vulnerability highlights the risks associated with the integration of AI agents into browser environments. Researchers emphasize that the industry is facing a rapidly evolving threat landscape regarding AI agents. Beyond the Claude for Chrome extension issues, other vulnerabilities have been identified in the broader Anthropic ecosystem. For example, researchers from Oasis Security recently identified a separate vulnerability dubbed “PromptFiction” in the Claude Desktop application, which could have allowed for silent data exfiltration or remote code execution.
Recommended Safety Measures
Until a comprehensive fix is provided for the Claude for Chrome extension, security experts recommend several steps to mitigate risk:
* Adjust Configuration: Disable the Act without asking
feature within the Claude for Chrome extension settings to ensure all actions require manual approval.
* Audit Extensions: Regularly review installed browser extensions and remove any that are not fully trusted or necessary.
* Restrict Permissions: Be cautious about granting AI browser assistants access to sensitive accounts, such as primary email, document storage, or calendar services.
* Limit Usage: Consider disabling the extension entirely on systems used to handle sensitive business accounts or private communications.
Manifold Security noted that while Anthropic has acknowledged the reports, the fundamental issue regarding how the extension handles privilege handoffs remains. Despite several updates to the extension since the initial disclosure in May, the researchers maintain that the core bypass remains functional.
Discover more from Archyworldys
Subscribe to get the latest posts sent to your email.