- The research uncovered a high-severity vulnerability, CVE-2026-0628, in Chrome's Gemini integration that allowed malicious extensions to access sensitive user data and hardware
By : Basel Khaled
Palo Alto Networks’ Unit 42 uncovered a high severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system.
Specifically, this vulnerability could have allowed malicious extensions with basic permissions to hijack the new Gemini Live in Chrome browser panel. Such an attack could have led to privilege escalation, enabling actions including:
- Accessing the victim’s camera and microphone without consent
- Taking screenshots of any website
- Accessing local files and directories
Unit 42 responsibly disclosed this vulnerability to Google and assisted in remediation efforts, and they released a fix in early January prior to the publication of this information.
AI Browsers: A New Wave of Productivity
The terms “agentic browser” or “AI browser” refer to a new class of web browsers that integrate AI assistants. AI browsers include Atlas, Comet, Copilot in Edge and Gemini in Chrome.
At the heart of their offering is an AI side panel assistant capable of real-time content summarization, automated task execution and dynamic assistance for contextual understanding of the active webpage.
By granting the AI direct, privileged access to the browsing environment, AI browsers are capable of performing complex, multi-step operations that were previously impossible or required several extensions and manual steps.
To effectively manage these day-to-day tasks, these agents require a "multimodal" perspective — essentially seeing exactly what the user sees on screen. Furthermore, they rely on the webpage itself to provide instructions and context, allowing the AI to interpret and act on the site’s specific interface.
However, this same expanded capability and privileged access introduce a new and widened attack surface. This creates security implications that are not present in traditional browsers.
Fusing AI Into the Browser: Security Hazards
This shift in browser architecture creates a new, two-pronged security challenge. First, the highly privileged and interactive AI assistant introduces novel risks by potentially allowing attackers to issue commands to the browser core itself.
A malicious webpage could instruct an AI to perform actions that would be blocked by a conventional browser's security model, via advanced prompt injection techniques. These actions include:
- Exfiltrating data
- Bypassing the same-origin policy (SOP)
- Triggering privileged browser functions
The AI acts as a new intermediary with overly broad access.
Secondly, the integration of a complex, new component like the AI side panel inevitably reintroduces classic, foundational browser security risks. By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses. This could include vulnerabilities related to cross-site scripting (XSS), privilege escalation and side-channel attacks that can be exploited by less-privileged websites or browser extensions, which is the focus of this analysis.
