Security boffins have discovered a high-severity bug in Google Chrome that allowed malicious extensions to hijack its Gemini Live AI panel and inherit privileges they were never meant to have.
The flaw, tracked as CVE-2026-0628, was uncovered by researchers at Palo Alto Networks’ Unit 42 who found that rogue Chrome extensions could manipulate how the browser handled requests to the embedded Gemini Live side panel. By exploiting the way Chrome handles extension network rules, a malicious add-on with fairly standard permissions could intercept and tamper with traffic headed for the Gemini panel, slipping its own JavaScript into a far more trusted part of the browser.
Gemini Live, built into Chrome as an interactive AI panel, isn’t just a chatbot bolted onto a tab. It’s tightly integrated into the browser to grab screenshots, read local files, and turn on your camera or microphone when asked. That’s handy if you’re using it as intended, but less so if a sketchy extension manages to ride along and inherit the same level of access, stepping well beyond the permissions add-ons are supposed to have.
“Since the Gemini app relies on performing actions for legitimate purposes, hijacking the Gemini panel allows privileged access to system resources that an extension would not normally have,” said Gal Weizman, security researcher at Palo Alto Networks.
In effect, a malicious extension could have turned on a webcam or microphone, sifted through local files, taken screenshots, or slipped phishing messages into what appears to be a legitimate Gemini panel. Nothing particularly fancy was required – just ordinary extension behavior bumping up against a flaw in how Chrome walled off its AI feature.
- OpenClaw, but in containers: Meet NanoClaw
- AI models suck slightly less at math than they did last year
- AIs are happy to launch nukes in simulated combat scenarios
- OpenAI asks its friends to tell their friends about Frontier
Google fixed the bug in early January, shipping patches in Chrome 143.0.7499.192 and 143.0.7499.193 for desktop via a Stable Channel update. The hole was closed before Unit 42 went publi