Google has addressed a significant vulnerability in its Gemini AI feature within the Chrome browser. This flaw had the potential to enable attackers to escalate privileges, compromise user privacy while browsing, and gain access to sensitive system resources. Researchers highlighted that this vulnerability showcases the new security risks associated with the integration of AI into browser technology.
The flaw, tracked as CVE-2026-0628, allowed malicious browser extensions with minimal permissions to gain access to a victim's camera and microphone without consent, capture screenshots of any website, and access local files and directories. This information comes from a report by researchers at Palo Alto Networks' Unit 42, who identified the issue.
Gal Weizman, a senior principal researcher at Palo Alto Networks, stated that "the vulnerability put any user of the new Gemini feature in Chrome at risk of system compromise if they had installed a malicious extension." He emphasized that the risks were especially pronounced in business and organizational environments.
In Chrome, the Gemini Live feature operates through a specialized browser side panel, offering it enhanced capabilities to access on-screen content and interact with local system resources. The integration of agentic AI into browsers allows for the quick execution of complex tasks that previously required extensions or manual steps.
However, this expanded functionality also leads to a broader attack surface, introducing new risks for both individual and corporate users. Weizman pointed out that this creates security implications that are not present in traditional browsers.
The Technical Aspects of the Vulnerability
Researchers discovered the flaw in an extension to the Gemini side panel, which had access to basic permissions through the "declarativeNetRequests" API. This API failed to maintain a necessary security boundary, allowing permissions that could enable an attacker to inject JavaScript code into the Gemini panel.
This API can be utilized for legitimate purposes, such as how ad-blocking extensions prevent privacy-invasive ads. Weizman clarified that this behavior is typically acceptable if loaded into a regular browser tab.
However, in this instance, it was the combination of Gemini AI with the browser that rendered the function potentially harmful. The flaw enabled code injection when the application was loaded within the trusted and highly privileged Gemini side panel, which granted access to powerful capabilities, including reading local files and capturing screenshots.
Palo Alto researchers demonstrated how a standard extension could hijack the Gemini panel and execute these malicious actions. Google responded quickly, reproducing the exploit conditions and patching the flaw in early January.
Increased Security Risks with Agentic AI Browsers
The risk of vulnerabilities like this one grows as AI becomes more embedded in browser design. The proactive nature of AI technology creates a new risk model, as it not only displays content but also acts upon it.
Anupam Upadhyaya, senior vice president of product management for Palo Alto Networks' Prisma SASE, noted that "these agents can inherit a user's authenticated browser session and perform privileged actions within enterprise applications, including modifying data or triggering workflows."
Developers of agentic browsers must rethink and enhance security, crafting browsers with continuous and policy-enforced native security rather than adding it post-deployment. Upadhyaya suggests that designers incorporate real-time inspection of prompts, AI responses, and rendered content directly within the browser environment.
Defenders need to recognize that this new attack surface is one that traditional network and endpoint controls were never designed to monitor. Adjusting their strategies accordingly is crucial. A good starting point would be treating the browser as both a primary attack surface and a potential control plane. This involves gaining visibility into the AI browsers and extensions in use, monitoring user navigation, uploads, and extension behavior, and enforcing policy controls in real-time before data exits the browser.
