New Chrome Vulnerability Let Malicious Extensions Elevate Privileges Via Gemini Panel
Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have allowed attackers to escalate privileges and gain access to local files on the system.
Vulnerability, followed by CVE-2026-0628 (CVSS score: 8.8), was described as a case of insufficient policy compliance in the WebView tag. It was patched by Google in early January 2026 to version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux.
“Inadequate policy enforcement in the WebView tag in Google Chrome before 143.0.7499.192 allowed an attacker who authenticated a user to install a malicious extension to inject scripts or HTML into a special page via a crafted Chrome extension,” according to a description in the NIST National Vulnerability Database (NVD).
Palo Alto Networks Unit 42 researcher Gal Weizman, who discovered and reported the bug on November 23, 2025, said the issue could have allowed malicious extensions with basic permissions to take control of the new Gemini Live panel in Chrome. The panel can be started by clicking the Gemini icon located at the top of the browser window. Google added Gemini integration to Chrome in September 2025.
This attack could be exploited by an attacker to gain an elevated privilege, allowing them to access the victim’s camera and microphone without their permission, take screenshots of any website, and access local files.
The findings highlight an emerging attack vector from baking artificial intelligence (AI) and agent power directly into web browsers to facilitate real-time content summarization, translation, and automation, as the same power may be misused to perform privileged actions.
The problem, at its core, is the need to grant these AI agents the right to access the browsing environment to perform multi-step operations, thus becoming a double-edged sword when an attacker embeds hidden commands in a malicious web page, and the victim user is tricked into accessing it through social engineering or other means.
A command can instruct an AI assistant to perform actions that would otherwise be blocked by the browser, resulting in data leakage or code insertion. Even worse, the web page can trick the agent into storing instructions in memory, causing them to run over and over again.
Besides the expanded attack surface, Unit 42 said the integration of the AI side panel into the agency’s browsers brings back the security vulnerabilities of the old browser.
“By placing this new component within the browser’s high-privilege context, developers can unwittingly create new logic errors and vulnerabilities,” Weizman said. “This may include vulnerabilities related to cross-site scripting (XSS), elevation of privilege, and side-channel attacks that may be used by less privileged websites or browser extensions.”
Although browser extensions operate based on a set of defined permissions, a successful exploit for CVE-2026-0628 undermines the browser’s security model and allows an attacker to execute arbitrary code on “gemini.google[.]com/app” using the browser panel and gain access to sensitive data.
“An extension with access to the basic permission set via the declarativeNetRequest API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel,” Weizman added. “When a Gemini app is loaded within this new panel section, Chrome connects it with access to powerful capabilities.”
It’s worth noting that the declarativeNetRequest API allows extensions to capture and modify the properties of HTTPS web requests and responses. It is used by ad-blocking extensions to stop issuing requests to load ads on web pages.
In other words, what an attacker needs is to trick an unsuspecting user into installing a specially crafted extension, which may insert malicious JavaScript code into Gemini’s side panel to interact with the file system, take screenshots, access the camera, open the microphone – all features required for the AI assistant to perform its tasks.
“This difference in what kind of component loads the Gemini app is a fine line between random behavior and a security problem,” said Unit 42. An extension is expected to affect the website. However, an extension that affects the part baked into the browser is a serious security risk.”
