Application Security

Any Chrome Extension Could Have Hijacked Claude — Even One With Zero Permissions

LayerX disclosed ClaudeBleed on May 6 — a vulnerability in Anthropic's Claude Chrome extension that allowed any other Chrome extension, even one with zero permissions, to send messages to Claude and exfiltrate user data. Anthropic patched in v1.0.70 within 24 hours, but the patch is partial.

The disclosure window was 24 hours, end-to-end. The patch is partial. The defender takeaway is the broader extension-trust model that the disclosure illustrates — not the specific vendor at the center of it.

BOSTON — LayerX disclosed on May 6, 2026 a vulnerability dubbed ClaudeBleed in Anthropic's Claude Chrome extension, the browser-resident agent that lets users invoke Claude across web pages. Per LayerX researcher Aviad Gispan, the vulnerability allowed any other Chrome extension installed on the same browser — including extensions with no declared host permissions and no special access — to send arbitrary messages to the Claude extension, instruct it to perform actions on behalf of the user, and exfiltrate the resulting data to an attacker-controlled destination. Anthropic patched the issue in Claude Chrome extension v1.0.70 within roughly 24 hours of receipt.

For organizations whose users have the Claude Chrome extension installed, the operational fact is that you should already be on v1.0.70 or later — Chrome's auto-update will handle this for most installations, but enterprise environments that pin extension versions need to verify. The more durable defender takeaway is the extension-trust model that ClaudeBleed illustrates: a browser extension with elevated capabilities can be addressed via inter-extension messaging by any other extension on the same browser, and the cross-trust assumptions baked into Chrome's extension architecture do not always match what users assume. The pattern fits alongside the broader 2026 AI deployment risk surface, where AI agent surfaces are now first-class attack targets.

Who is affected
Claude Chrome extension users (pre-v1.0.70) Patch is auto-deploying; verify on enterprise pinned-version installs	Enterprises with broad Chrome extension policy Inter-extension trust is the broader model question
AI agent and assistant developers externally_connectable defaults are now a security review item	SOC and IR teams running browser-based AI Add detection for extension messaging anomalies

What ClaudeBleed allowed

The Claude Chrome extension exposes message-handling code that, in versions before 1.0.70, accepted runtime messages from any other extension installed on the same browser without sufficient validation of the sender's identity or intent. Per LayerX's writeup, this meant a malicious extension could craft a message instructing Claude to perform an action — read page content, transmit data to an external destination, or execute other agent capabilities — and the Claude extension would carry it out under the user's authentication context. The "even with zero permissions" framing matters because it bypasses the standard threat model that assumes extensions with limited declared permissions are limited in what they can reach.

The technical root is in Chrome's externally_connectable mechanism and the way Manifest V3 extensions handle chrome.runtime.onMessageExternal. If an extension does not strictly validate which other extensions can send it messages, any extension on the same browser becomes a trusted message source. This is a longstanding subtlety of Chrome's extension architecture; ClaudeBleed is a specific instance, not a unique pattern.

The 24-hour patch and what it covers

Anthropic shipped v1.0.70 within roughly 24 hours of LayerX's disclosure, which is a fast vendor response. The patch tightens the message validation logic to reject messages from non-trusted senders. LayerX has noted that the patch is partial — specifically, that some variations of the inter-extension messaging path remain reachable in scenarios LayerX continues to research. The recommendation for users is to update to the latest version and treat the extension's permissions as broader than the user-facing UI suggests.

For Anthropic's part, the rapid response and active engagement with the researcher is the kind of vendor behavior the security community wants to encourage. The broader question — whether AI agent extensions need a fundamentally tighter inter-extension trust model — is one the entire ecosystem now needs to answer, not just one vendor.

The defender takeaway is the trust model

Chrome's extension model treats extensions on the same browser as more trusted than arbitrary websites, and less trusted than the browser process itself. For most extensions, this is fine. For an AI agent extension that operates with the user's authentication context across multiple sites and can be instructed to take action, the threshold for trusting another extension on the same browser should be much higher than the Chrome default. Enterprise environments managing AI agent extensions should reduce the surface by limiting which other extensions are installable on the same browser profile, particularly on profiles used for sensitive workflows.

The CyberSignal Analysis

Signal 01 — AI agent extensions are first-class attack surfaces

The pattern ClaudeBleed exposes is not Anthropic-specific. Any browser extension that operates as an AI agent — taking action on behalf of the user across multiple sites — is a privileged surface. Treat such extensions with the same scrutiny as enterprise password managers and authentication tools, which they functionally resemble in the trust they command.

Signal 02 — Vendor disclosure response is the right pattern to reinforce

24-hour patch deployment and active researcher engagement is the response pattern the security community wants every vendor to adopt. Cite Anthropic's response when making the case to your own vendors that fast disclosure-to-patch turnaround is achievable. The Schemata DoD case earlier this week is the counterexample where the bar was missed; ClaudeBleed is the example where it was met.

Signal 03 — Chrome extension policy is now an AI security control

Most enterprise extension allow-lists are inherited from a pre-AI-agent era when extensions were relatively contained tools. Update the allow-list policy to reflect that extensions can now operate as autonomous agents, that their cross-extension trust surface matters, and that profiles used for sensitive workflows should have a tighter set of installable extensions than profiles used for general browsing.

What to do this week

Verify Claude Chrome extension is on v1.0.70 or later across your fleet. For enterprise environments using Chrome managed extensions, check the pinned version policy and update if needed.
Audit which other extensions are installable alongside AI agent extensions on managed Chrome profiles. Tighten the policy for profiles used for sensitive workflows like financial systems, source code, and customer data access.
Add to your AI vendor security review checklist: an explicit question on inter-extension messaging trust model and how the vendor validates message senders. The answer should be specific, not generic.

Sources

Type	Source
Primary	LayerX — ClaudeBleed disclosure (Aviad Gispan)
Vendor	Anthropic Claude Chrome extension v1.0.70 release notes
Reporting	The Hacker News — ClaudeBleed Claude Chrome extension flaw

PCPJack Doesn't Just Steal Your Credentials. It Kicks Out Other Hackers First.

A DoD Contractor Just Patched a 150-Day-Old Bug That Exposed Where Military Personnel Are Stationed

NVIDIA's Armenian Cloud Gaming Partner Was Hacked

Microsoft Edge Loads All Your Passwords in Plaintext RAM. Microsoft Says It's Working as Intended.