Unpatched Flaws in Claude for Chrome Expose Gmail and Docs Data

Anthropic’s Claude for Chrome browser extension contains two critical vulnerabilities that remain unpatched, potentially allowing attackers to access users’ Gmail, Google Docs, and Calendar data with minimal effort. Despite being reported in May 2026, these issues persist in the latest version 1.0.80, released on July 7, 2026.

Details of the Vulnerabilities

The first vulnerability resides in Claude’s content script, which listens for clicks on a specific onboarding button and forwards a corresponding prompt to Claude’s side panel. The script fails to verify whether the click is genuinely user-initiated by checking the event.isTrusted property. Consequently, any other browser extension with script access to claude.ai can simulate a click using just six lines of JavaScript, triggering Claude to execute one of nine hardcoded prompts without the user’s knowledge.

Among these prompts, three are particularly concerning as they instruct Claude to:

  • Read Gmail and interact with emails, such as clicking unsubscribe links.
  • Open the user’s latest Google Doc and read all comments.
  • Scan Google Calendar and create meetings.

In Claude’s default “Ask before acting” mode, the user receives an approval popup. However, if the “Act without asking” mode is enabled, Claude executes these actions silently, posing a significant security risk.

The second vulnerability is structural. Claude’s side panel enters a privileged, no-consent mode whenever it loads a URL containing ?skipPermissions=true, without requiring any user gesture. Although a warning banner appears, it does so only after privileged mode is already active, rendering it ineffective as a safeguard.

Security Implications and Response

These vulnerabilities align with recognized AI security risks, specifically prompt injection and excessive agency. The proposed fixes are straightforward: verifying isTrusted on click events and removing URL-based privilege escalation. Despite these recommendations, neither fix has been implemented, even though Anthropic marked the underlying tracking issue as “Resolved” before June 9.

Anthropic acknowledged both reports within a day but closed them, arguing that the synthetic-click issue was covered by an existing internal report and that the URL parameter posed no externally reachable risk. However, researchers have reverified that the flagged code remains unchanged from the originally reported version.

This situation mirrors a previous incident, ClaudeBleed, where an announced fix later proved incomplete, raising concerns about how AI browser extensions handle trust boundaries between third-party scripts and privileged actions.

As AI tools become increasingly integrated into daily workflows, ensuring their security is paramount. Users should exercise caution when enabling features that grant extensive permissions and stay vigilant for updates addressing these vulnerabilities.