Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel CVE-2026-0628 (High Severity)

Estimated reading time: 8 minutes

Key Takeaways:

  • CVE-2026-0628 represents a critical logic flaw in how Chrome isolated its privileged Gemini AI panel from standard extensions.
  • Attackers could leverage standard extension permissions to escalate privileges, gaining unauthorized access to camera, microphone, and local files.
  • The vulnerability was rooted in the declarativeNetRequests API, failing to distinguish between standard web tabs and high-privilege side panels.
  • Enterprise environments face heightened risks from “agentic browsers” where AI assistants have direct access to the browsing environment and system resources.

Table of Contents

Executive Summary

Research into Google Chrome’s integration of generative AI features revealed a high-severity vulnerability, identified as CVE-2026-0628. This flaw allowed browser extensions with standard permission sets to compromise the Gemini Live in Chrome panel. The vulnerability facilitated privilege escalation, providing unauthorized access to local system resources, including the camera, microphone, and filesystem.

The security flaw stemmed from an implementation error within the declarativeNetRequests API, which failed to adequately isolate the privileged Gemini panel environment from extension-side modifications. This bypass enabled attackers to inject arbitrary JavaScript into a component of the browser that possesses elevated privileges compared to standard web tabs. Google released a fix for this vulnerability in January 2026 following responsible disclosure.

The emergence of “agentic browsers”-applications that integrate AI assistants for autonomous task execution-introduces new attack vectors. This analysis details the mechanics of CVE-2026-0628, the resulting security implications for enterprise environments, and the necessary steps for mitigating risks associated with AI-integrated browser components.

Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel

The integration of Large Language Models (LLMs) into the browser core has led to the development of agentic browsers. These platforms, including Google Chrome with Gemini, Microsoft Edge with Copilot, and emerging browsers like Atlas and Comet, utilize AI side panels to assist users with content summarization, task automation, and contextual analysis of web content.

To function effectively, these AI agents require multimodal capabilities. They must interpret the visual state of the browser, access the underlying filesystem for document analysis, and interface with hardware like microphones for voice commands. This level of access requires the AI component to operate with high privileges. CVE-2026-0628 demonstrates that when these high-privilege components are not strictly isolated from lower-privilege extensions, the entire browser security model is compromised.

AI Browsers: A New Wave of Productivity

AI browsers represent a departure from traditional web navigation. By embedding an assistant directly into the interface, the browser can perform multi-step operations that previously required manual user intervention or third-party plugins. For instance, the Gemini Live panel can summarize a 50-page PDF, draft a response based on the summary, and suggest relevant local files to attach.

Chrome browser with Gemini panel and extension icons

This productivity gain is achieved by granting the AI agent direct access to the “browsing environment.” The agent essentially views the screen exactly as the user does. It interprets the Document Object Model (DOM) of the active website and can interact with browser APIs that are typically restricted for standard web applications. This architecture relies on the webpage providing context, which the AI then acts upon. However, this interaction creates a surface for prompt injection and logic flaws.

Fusing AI Into the Browser: Security Hazards

The fusion of AI into the browser architecture creates two primary categories of risk. The first involves prompt injection, where a malicious webpage provides instructions that trick the AI into bypassing the Same-Origin Policy (SOP), exfiltrating user data, or triggering privileged browser functions.

The second risk category, and the focus of CVE-2026-0628, involves logical flaws in the implementation of the AI side panel. By placing a complex, interactive component within a high-privilege context, developers risk reintroducing classic vulnerabilities such as cross-site scripting (XSS) and privilege escalation. If an extension or a website can influence the AI panel, it inherits the panel’s elevated permissions. This effectively collapses the security boundaries that maintain the browser’s integrity.

Extensions Security: Understanding the Threat Model

The modern browser security model relies on strict isolation. Extensions operate within a sandbox and are governed by a specific set of permissions defined in their manifest files. This hierarchy is essential for maintaining a secure environment. If a low-privilege extension could control a high-privilege browser component, the sandbox would be rendered ineffective.

“In the case of CVE-2026-0628, the threat model was undermined because an extension was able to cross the boundary into the Gemini panel-a component that resides at a higher level of trust than a standard extension or webpage.”

The Vulnerability in Gemini Live in Chrome

The technical root of CVE-2026-0628 lies in the declarativeNetRequests API. This API allows extensions to block or modify network requests and responses by defining rules that the browser executes on the extension’s behalf. It is commonly used by ad-blockers to intercept traffic.

The vulnerability existed because the browser allowed declarativeNetRequests rules to apply to the Gemini app even when it was running inside the privileged side panel. An attacker could craft an extension that injected malicious JavaScript into the panel’s execution context. Because the browser treated the panel as a trusted component, the injected code could then execute commands that the extension itself was forbidden from performing, such as reading local files or accessing the camera.

Privilege Escalation: Camera, Files, Screenshots and More

The impact of CVE-2026-0628 was significant due to the breadth of permissions granted to the Gemini panel. Through successful exploitation, an attacker could achieve the following:

  • Unauthorized Hardware Access: Activating the camera and microphone without the user’s consent or standard permission prompts.
  • Local Filesystem Access: Reading sensitive files and directories from the underlying operating system, bypassing the standard browser sandbox.
  • Cross-Origin Screenshots: Instructing the hijacked panel to take screenshots of any website the user visits, including private banking or corporate tools.
  • Integrated Phishing: Displaying fake login forms or security alerts within the trusted Gemini panel UI.

Risk Averted: How Could This Have Turned Out?

The proliferation of malicious extensions in official web stores makes vulnerabilities like CVE-2026-0628 particularly dangerous. Attackers frequently deploy benign-looking extensions that gain a large user base before being updated with malicious payloads. This highlights the importance of supply-chain risk monitoring for all third-party browser components.

Furthermore, attackers utilize underground forum intelligence to share techniques for bypassing extension review processes. Discussions on these platforms often center on exploiting APIs like declarativeNetRequests to achieve persistent access. Without robust breach detection mechanisms that monitor for anomalous browser behavior, such attacks can remain undetected for extended periods.

Timeline: From Discovery to Fix

  • October 23, 2025: The vulnerability was discovered and responsibly disclosed to the Google security team.
  • November – December 2025: Google verified the vulnerability and reproduced the privilege escalation conditions.
  • January 5, 2026: Google released a security update for Chrome that addressed the flaw by restricting extension interaction with the Gemini panel context.

Practical Takeaways

For Technical Teams and Engineers

  • API Restriction: Audit extensions that utilize the declarativeNetRequests API and ensure sensitive internal domains are excluded.
  • Context Isolation: Maintain strict separation between untrusted web content and privileged UI components during development.
  • Security Updates: Ensure all browser instances across the fleet are updated to versions released after early January 2026.

For Business Leaders and SOC Managers

  • Extension Governance: Implement a “Verified Only” policy for browser extensions to reduce the attack surface.
  • Data Leakage Prevention: Monitor if corporate credentials or internal project names are appearing in datasets associated with malicious extensions.
  • Supply Chain Awareness: Treat browser extensions as part of the software supply chain and conduct regular audits of their permissions.

PurpleOps Expertise in Browser and AI Security

PurpleOps provides comprehensive security solutions to address the complexities of modern browser environments and AI integration. Our expertise includes:

Conclusion

CVE-2026-0628 demonstrates that as browsers become more capable through AI integration, they also become more susceptible to complex logic flaws. The ability of a low-privilege extension to hijack a high-privilege AI panel highlights a critical need for rigorous isolation in browser architecture.

For more information on securing your organization’s digital perimeter, explore our full range of services or learn more about the PurpleOps Platform.

Frequently Asked Questions

What is CVE-2026-0628?

It is a high-severity vulnerability in Google Chrome where the declarativeNetRequests API failed to isolate the privileged Gemini AI side panel, allowing extensions to inject malicious code and escalate privileges.

How could an attacker exploit this vulnerability?

An attacker would first need to convince a user to install a malicious extension. Once installed, the extension could use standard network request modification rules to inject JavaScript into the Gemini panel whenever the user opened it.

What system resources could be accessed?

Because the Gemini panel has high-level permissions, a successful exploit could grant unauthorized access to the user’s camera, microphone, local filesystem, and the ability to take screenshots of other active tabs.

Is there a fix available for CVE-2026-0628?

Yes, Google released a patch for Chrome in January 2026. Users and organizations should ensure their browsers are updated to the latest version to mitigate this risk.

Why are “agentic browsers” more vulnerable?

Agentic browsers integrate AI assistants that require deep access to the browsing environment and system hardware to function. This high-privilege architecture creates a significant impact if isolation boundaries are bypassed.