Chrome’s Gemini “Live in Chrome” panel (Gemini’s embedded, agent-style assistant mode within Chrome) had a high‑severity vulnerability tracked as CVE‑2026‑0628. The flaw let a low‑privilege extension inject code into the Gemini side panel and inherit its powerful capabilities, including local file access, screenshots, and camera/microphone control.
The vulnerability was patched in a January update. But the deeper story is that AI or agentic browsers are stepping outside long‑standing isolation boundaries, so extension abuse, prompt injection, and trusted‑UI phishing all become much more dangerous.
Chrome’s Gemini “Live in Chrome” panel runs the Gemini web app in a special, privileged side panel that can see what’s on screen and perform actions like reading local files, taking screenshots, and using the camera and microphone to automate tasks.
Researchers found that an extension using the declarativeNetRequest API (Application Programming Interface) could tamper with traffic to gemini.google.com/app when it loaded inside this side panel, not just in a normal tab.
As a result, a basic‑permission extension could inject JavaScript into a high‑privilege browser component and start camera and microphone without new consent prompts, enumerate local files and directories, take screenshots of any HTTPS site, and even turn the Gemini panel itself into a phishing UI.
Normally, extensions cannot control other extensions or core browser components, but due to this vulnerability, a low‑privilege extension could effectively drive a privileged AI assistant and inherit its powers.
And because the Gemini panel is a trusted part of the Chrome browser, users would not expect it to silently activate camera or microphone or scrape local files at an extension’s whim.
Therefore, it is good to be aware that agentic browsers, such as Gemini in Chrome, Copilot in Edge, Atlas, Comet, etc., embed an AI side panel that sees page content, keeps context, and can autonomously execute multi‑step actions like summarization, form‑filling, and automation.
These assistants need broad access to the web pages you’re looking at, including everything you see and interact with on the screen, sometimes local files, and in some designs even application data (emails, messages). That makes them an attractive “command broker” for attackers.
How to stay safe
After responsible disclosure, Google shipped fixes in early January 2026, so current versions are not vulnerable. Anything lagging that baseline is at risk and should be updated, especially if you’re using “Live in Chrome.”
Install as few extensions as possible, from vendors you can identify and contact. Prefer open‑sourced or well‑audited extensions for anything that touches sensitive workflows.
Be suspicious of sudden permission changes or unexplained new capabilities after updates.
Monitor for anomalies like cameras activating unexpectedly, unexplained screenshots, or Gemini‑related processes touching unusual file paths.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
