Claude for Chrome Extension Still Vulnerable Months After ClaudeBleed Patch, Researchers Say
Researchers have once again put Anthropic‘s Claude for Chrome extension under the spotlight, and this time for calling out its irresponsible behavior. Weeks after privately reporting what they describe as two serious security flaws, researchers now claim both issues remain fully reproducible in the latest release despite the company shipping eight extension updates in the meantime.
ClaudeBleed findings return with fresh claims
Security firm Manifold has published a new report reopening its “ClaudeBleed” research, saying the same vulnerabilities originally disclosed against Claude for Chrome v1.0.72 can still be triggered in version 1.0.80, which rolled out on July 7 (via BleepingComputer).
According to the researchers, the first issue allows another browser extension with access to claude.ai to trigger predefined Claude actions by injecting a DOM element and simulating a button click. They say the extension accepts synthetic clicks as though they came directly from the user because the click handler does not verify whether the event is trusted.
Rather than allowing arbitrary prompts, the extension now limits requests to nine predefined tasks introduced as part of an earlier mitigation. However, Manifold argues those prompts still include actions capable of accessing Gmail, Google Docs, Google Calendar, Salesforce, Zillow, and DoorDash when browser permissions have already been granted.
The researchers say the issue carries a CVSS score of 7.7 in Claude’s default “Ask before acting” mode, rising to 9.6 if a user has previously enabled “Act without asking,” since actions could then execute without an approval prompt.
A second issue targets Claude’s permission model
The report also highlights what researchers describe as an architectural weakness involving the extension’s privileged mode. According to Manifold, Claude’s side panel can initialize in “Act without asking” mode whenever it is opened with the ?skipPermissions=true URL parameter.
The researchers say this currently requires extension-level privileges and is not directly exploitable remotely in version 1.0.80. However, they argue the design creates a risky foundation because any future flaw that exposes URL construction to a lower-privileged component could potentially become a silent execution path.
Speaking of Anthropic’s response, Manifold says it first reported both issues on May 21, 2026. The company reportedly acknowledged the reports the following day, closed one under an existing internal tracking issue, and categorized the second as informational. Since then, Anthropic has released versions 1.0.73 through 1.0.80, but the researchers claim the affected code remains unchanged.
Manifold also argues that the first issue could be fixed with a minimal code change by rejecting synthetic click events, while recommending that privileged mode should only be enabled after an explicit user action instead of through a URL parameter.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages