Researchers have disclosed a vulnerability in Claude for Chrome that allows malicious browser extensions to execute tasks on a user's Gmail, Google Docs, and Google Calendar without authorization.

The flaw stems from insufficient isolation between Claude for Chrome and other extensions running on claude.ai. Any extension capable of executing scripts on the Claude website can trigger Claude to perform actions on connected Google services. An attacker would need to deploy a rogue extension first, but once installed, the path to abuse becomes straightforward.

This vulnerability follows ClaudeBleed, an earlier flaw affecting the same tool. Both attacks require a malicious extension already present in the target's browser. The practical difference lies in scope. ClaudeBleed allowed arbitrary prompt injection; the Claude for Chrome flaw narrows the attack surface to specific Google integrations but removes the need for complex prompt manipulation.

Anthropic addressed the arbitrary-prompt vulnerability in May as part of a broader security review. However, researchers say the latest flaw persists because the company did not fully isolate extension communication channels from untrusted scripts running on claude.ai.

The risk applies primarily to users who install Claude for Chrome alongside other extensions, particularly those from unknown developers. An attacker gains access to read emails, modify documents and comments, and view calendar entries. The attack requires no user interaction beyond the initial extension installation.

Organizations using Claude for Chrome should audit installed extensions immediately. Limit extensions to essential tools from trusted vendors. Anthropic users should update to the latest version of Claude for Chrome, which may include patches for this issue.

The vulnerability underscores a broader challenge with browser extension security. Even AI assistants with strong authentication can expose user data when extension isolation fails. Users should treat browser extensions with the same caution applied to native applications and review permissions regularly.