A high-severity flaw in Chrome’s Gemini AI assistant can let seemingly harmless extensions jump the fence and spy on your computer, according to new research from Palo Alto Networks’ Unit 42. The bug enables script injection into the Gemini panel, potentially unlocking webcam, microphone, screenshot, and local file access that a typical extension should never touch.
What Researchers Found About the Chrome Gemini Panel Flaw
Senior principal researcher Gal Weizman of Unit 42 disclosed that the issue, tracked as CVE-2026-0628, stems from insufficient policy enforcement in Chrome’s WebView tag. In affected builds, a maliciously crafted extension could slip JavaScript or HTML into Gemini’s privileged interface and hijack its actions. The flaw was privately reported to Google, reproduced, and fixed in recent Chrome stable updates.
- What Researchers Found About the Chrome Gemini Panel Flaw
- How the Exploit Works to Hijack the Gemini Panel
- What Attackers Could Access by Abusing the Gemini Panel
- Who Is at Risk from Malicious Extensions Exploiting Gemini
- Google’s Fix and the Chrome Versions You Need to Know
- How to Protect Your Browser Now Against Gemini Exploits
- Why Agentic AI Raises the Stakes for Browser Security
- Bottom Line on the Chrome Gemini Extension Hijack Risk
The twist: the extension doesn’t need scary permissions to be dangerous. Weizman’s team showed that an add-on using the standard declarativeNetRequest API could be weaponized to grant itself a pathway into Gemini’s panel—a new, high-value browser surface introduced with agentic AI features.
How the Exploit Works to Hijack the Gemini Panel
Gemini’s panel is designed to perform actions on your behalf—summarize pages, fill forms, manage tasks. That legitimate ability creates a unique risk. By injecting code into this component, an attacker can instruct Gemini to initiate actions and request system resources the extension itself shouldn’t control. Because the panel is a privileged page, subverting it effectively piggybacks on Chrome’s trusted workflows.
Unit 42’s proof of concept chained a benign-looking extension installation with the injection vector, culminating in a scenario where the Gemini interface could be coerced into taking photos, recording audio, reading directories, or displaying phishing overlays—all without the user understanding that the assistant’s panel had been commandeered.
What Attackers Could Access by Abusing the Gemini Panel
Once the Gemini panel is hijacked, attackers could:
- Activate webcam or microphone requests through the assistant’s workflows.
- Capture screenshots of active tabs or the desktop where permitted.
- Read or enumerate local files and directories via assistant-driven file interactions.
- Render convincing phishing panels within the trusted Gemini UI to steal credentials.
Crucially, each step leverages the assistant’s intended capabilities, amplifying the impact compared with a conventional extension attack.
Who Is at Risk from Malicious Extensions Exploiting Gemini
Anyone running a vulnerable version of Chrome with Gemini features enabled faces exposure if they install a malicious extension. With Chrome responsible for roughly 64% of global browser market share, according to StatCounter, even a targeted exploit chain represents a wide attack surface. The Chrome Web Store hosts tens of thousands of extensions, and history shows that adversaries routinely smuggle malicious or compromised add-ons through social engineering and cloneware.
Google’s Fix and the Chrome Versions You Need to Know
Google issued a patch that closes the policy enforcement gap and hardened the Gemini panel against injection. The fix landed in Chrome stable channels at versions 143.0.7499.192/.193 on Windows and macOS, and 143.0.7499.192 on Linux, with follow-on security updates addressing additional issues. If your browser is older, you are at risk.
To check, open Chrome’s menu, go to Help and then About Google Chrome. The browser will display your version and auto-fetch updates. A restart completes the patching process.
How to Protect Your Browser Now Against Gemini Exploits
- Update Chrome immediately and enable automatic updates.
- Audit installed extensions and remove anything unnecessary or from unknown publishers.
- Minimize extension permissions and disable “Allow access to file URLs” unless essential.
- For enterprises, enforce extension allowlists, use Chrome’s enterprise policies, and monitor runtime behavior for anomalous assistant activity.
Why Agentic AI Raises the Stakes for Browser Security
Agentic browsers turn passive pages into active workflows. That power is double-edged: the same mechanisms that let assistants navigate, fill forms, or fetch documents also expand the blast radius when a privileged panel is compromised. Beyond classic bugs, these systems are vulnerable to prompt injection and UI redressing—attacks that exploit the assistant’s trust in page content.
Researchers at MIT have warned that many AI agents are “fast and loose” on security testing, creating gaps that well-resourced adversaries can exploit. Security leaders advise treating agentic features as high-risk infrastructure: build in strict policy controls, instrument visibility, and guardrails from day one. As one Palo Alto Networks executive put it, innovation cannot come at the expense of security.
Bottom Line on the Chrome Gemini Extension Hijack Risk
This Chrome Gemini vulnerability is a reminder that the most dangerous extension is often the one you think is safe. Patch Chrome, pare back your add-ons, and assume that any assistant with the power to help you also has the power to harm you if it’s hijacked. The fix is available—install it before an attacker installs something worse.
