Critical "ClaudeBleed" Flaw in Anthropic’s Chrome Extension Exposes Sensitive Data
On May 7, 2026, security researcher Aviad Gispan of LayerX disclosed a severe vulnerability dubbed ClaudeBleed in Anthropic’s Claude in Chrome browser extension. The flaw allows malicious Chrome extensions, even those with no declared permissions, to hijack Claude and exfiltrate sensitive data from Gmail, Google Drive, and GitHub without user interaction.
The vulnerability stems from a trust boundary violation in the extension’s manifest. The externally_connectable setting, configured to accept messages from claude.ai, fails to verify the actual sender, enabling any extension to inject scripts into the claude.ai context and issue privileged commands. Attackers exploit this by mimicking legitimate traffic using Claude’s public extension ID, bypassing confirmation dialogs through "approval looping" and manipulating the DOM to deceive Claude into performing malicious actions such as summarizing emails, forwarding them to an attacker, and deleting traces.
Anthropic released a partial patch (v1.0.70) on May 6, 2026, adding approval flows for privileged actions. However, LayerX bypassed the fix within hours by exploiting weaknesses in the new UI-based safeguards. Attackers can still disable approval layers by switching to "Act without asking" mode, abuse side panel initialization to create an unchecked execution context, or manipulate UI elements to evade policy enforcement.
The flaw persists because Claude relies on origin-based trust rather than authenticated execution context. LayerX recommends implementing signed request tokens, restricting externally_connectable to verified extensions, and cryptographically binding user approvals to specific actions. Until then, any installed extension can silently commandeer Claude as a data-theft tool.
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "ANT1778581440",
"linkid": "anthropicresearch",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of *Claude in Chrome* '
'extension',
'industry': 'Artificial Intelligence / Technology',
'name': 'Anthropic',
'type': 'Company'}],
'attack_vector': 'Malicious Chrome Extensions',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Potentially yes',
'sensitivity_of_data': 'High (sensitive business and personal '
'data)',
'type_of_data_compromised': ['Emails',
'Google Drive files',
'GitHub data']},
'date_detected': '2026-05-07',
'date_publicly_disclosed': '2026-05-07',
'description': 'A severe vulnerability dubbed *ClaudeBleed* in Anthropic’s '
'*Claude in Chrome* browser extension allows malicious Chrome '
'extensions to hijack Claude and exfiltrate sensitive data '
'from Gmail, Google Drive, and GitHub without user '
'interaction. The flaw stems from a trust boundary violation '
'in the extension’s manifest, enabling attackers to inject '
'scripts and issue privileged commands by mimicking legitimate '
'traffic.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'vulnerability exposure',
'data_compromised': 'Sensitive data from Gmail, Google Drive, and '
'GitHub',
'identity_theft_risk': 'High (PII exposure risk)',
'operational_impact': 'Potential unauthorized access and '
'exfiltration of sensitive data',
'systems_affected': 'Anthropic’s *Claude in Chrome* browser '
'extension'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Reliance on origin-based trust is insufficient; '
'authenticated execution context and cryptographic '
'verification are necessary for secure extension '
'communication.',
'post_incident_analysis': {'corrective_actions': ['Implement signed request '
'tokens',
'Restrict '
'*externally_connectable* '
'to verified extensions',
'Cryptographically bind '
'user approvals to actions'],
'root_causes': ['Trust boundary violation in '
'*externally_connectable* setting',
'Lack of sender verification for '
'messages',
'DOM manipulation vulnerabilities',
'Insufficient UI-based safeguards '
'in patch']},
'recommendations': ['Implement signed request tokens',
'Restrict *externally_connectable* to verified extensions',
'Cryptographically bind user approvals to specific '
'actions',
'Enhance UI-based safeguards to prevent manipulation'],
'references': [{'source': 'LayerX (Aviad Gispan)'}],
'response': {'containment_measures': 'Partial patch (v1.0.70) released on May '
'6, 2026, adding approval flows for '
'privileged actions',
'remediation_measures': 'LayerX recommends implementing signed '
'request tokens, restricting '
'*externally_connectable* to verified '
'extensions, and cryptographically '
'binding user approvals to specific '
'actions'},
'title': "Critical 'ClaudeBleed' Flaw in Anthropic’s Chrome Extension Exposes "
'Sensitive Data',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Trust boundary violation in '
'*externally_connectable* setting, lack of sender '
'verification, DOM manipulation, approval looping'}