A now-patched high-severity vulnerability (CVE-2026-0628) in Google Chrome allowed malicious extensions to hijack the Gemini Live AI panel, leading to privilege escalation. This flaw, dubbed "Glic Jack," could have let attackers access a victim's camera, microphone, local files, and take screenshots. The incident highlights the new security risks introduced by integrating powerful AI agents with privileged access directly into web browsers, as these capabilities can be subverted. The vulnerability was rooted in insufficient policy enforcement within the WebView tag used for the Gemini panel and was fixed by Google in January 2026.
Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system.
The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026 in version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux.
"Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome extension," according to a description on the NIST National Vulnerability Database (NVD).
Palo Alto Networks Unit 42 researcher Gal Weizman, who discovered and reported the flaw on November 23, 2025, said the issue could have permitted malicious extensions with basic permissions to seize control of the new Gemini Live panel in Chrome.
The side panel, which leverages a new "chrome://glic" URL that uses a WebView component to load the "gemini.google[.]com" web app, can be launched by clicking the Gemini icon located in the Chrome toolbar's top right corner. Google added Gemini integration to Chrome in September 2025.
This attack could have been abused by an attacker to achieve privilege escalation, enabling them to access the victim's camera and microphone without their permission, take screenshots of any website, and access local files. The issue has been codenamed Glic Jack, short for Gemini Live in Chrome hijack.
The findings highlight an emerging attack vector arising from baking artificial intelligence (AI) and agentic capabilities directly into web browsers to facilitate real-time content summarization, translation, and automated task execution, as the same capabilities could be abused to perform privileged actions.
The problem, at its core, is the need for granting these AI agents privileged access to the browsing environment to perform multi-step operations, thereby becoming a double-edged sword when an attacker embeds hidden prompts in a malicious web page, and a victim user is tricked into accessing it via social engineering or some other means.
The prompt could instruct the AI assistant to perform actions that would otherwise be blocked by the browser, leading to data exfiltration or code execution. Even worse, the web page could manipulate the agent to store the instructions in memory, causing it to persist across sessions.
Besides the expanded attack surface, Unit 42 said the integration of an AI side panel in agentic browsers brings back classic browser security risks.
"By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses," Weizman said. "This could include vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks that can be exploited by less-privileged websites or browser extensions."
While browser extensions operate based on a defined set of permissions, successful exploitation of CVE-2026-0628 undermines the browser security model and allows an attacker to run arbitrary code at "gemini.google[.]com/app" via the browser panel and gain access to sensitive data.
"An extension with access to a basic permission set through the declarativeNetRequest API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel," Weizman added. "When the Gemini app is loaded within this new panel component, Chrome hooks it with access to powerful capabilities."
It's worth noting that the declarativeNetRequest API allows extensions to intercept and change properties of HTTPS web requests and responses. It's used by ad-blocking extensions to stop issuing requests to load ads on web pages.
"Chromium's interpretation for what went wrong here is that WebView components (with which 'chrome://glic' embeds Gemini's web app) were forgotten from being rejected when considering [declarativeNetRequest] rule appliance," Weizman said on X.
In other words, all it takes for an attacker is to trick an unsuspecting user into installing a specially crafted extension, which could then inject arbitrary JavaScript code into the Gemini side panel to interact with the file system, take screenshots, access the camera, turn on the microphone – all features necessary for the AI assistant to perform its tasks.
"This difference in what type of component loads the Gemini app is the line between by-design behavior and a security flaw," Unit 42 said. An extension influencing a website is expected. However, an extension influencing a component that is baked into the browser is a serious security risk."
Meridiano
