A flaw in Anthropic’s Claude Chrome extension lets any other browser extension hijack the AI by sending commands through the extension’s origin, bypassing normal permission checks.

The root cause is an unverified script communication channel in the extension, enabling privilege escalation across extensions and breaking Chrome’s security model.

LayerX researchers exposed ClaudeBleed, a security flaw that could let attackers take full control of the AI assistant and access private files and emails.

Anthropic did not comment to CyberScoop about the findings or mitigation efforts.

Security experts urge stronger security protocols by developers and organizations to prevent hijacking and protect user trust.

Coverage comes from multiple security outlets, including Cyberscoop, SecurityWeek, Palo Alto Networks, CrowdStrike, and BleepingComputer.

LayerX says they reported the flaw on April 27; Anthropic issued a partial fix and later claimed it was a duplicate being addressed in a future update. New fixes on May 6 added privileged-action approval flows, but the flaw could still be exploited in some cases.

Experts warn that monitoring at the prompt layer isn’t enough; defenses must address manipulated environments and cross-extension interactions.

Findings suggest vendors may prioritize user experience over security, creating ongoing risks as AI agents become more common.

Even after updates, switching Claude to a privileged mode without user notification allowed continued prompt injections, signaling persistent vulnerability.

Proof of concept showed attackers could prompt Claude to share data with external servers and delete evidence, underscoring sophisticated prompt-layer and environment manipulation.

Researchers warn that simple exploitation methods can still compromise AI security despite the popularity of large language models.