Google fixed a high-severity vulnerability in its Gemini AI side panel for Chrome that could have allowed malicious extensions to hijack the feature. The flaw, CVE-2026-0628, could have enabled attackers to escalate privileges, access a victim's camera, microphone, and local files, and take screenshots without consent. Researchers from Palo Alto Networks discovered the issue, highlighting the new security risks introduced by AI-integrated "agentic" browsers with privileged system access. Google patched the vulnerability after being notified. The main topics covered are the specific security flaw, its potential impacts, and the broader security risks of integrating powerful AI agents into web browsers.
Bug in Google's Gemini AI Panel Opens Door to Hijacking
Attackers could have exploited the vulnerability to escalate privileges, violate user privacy while browsing, and access sensitive resources.
Google has fixed a high-severity flaw in its implementation of Gemini AI in the Chrome browser that could have allowed attackers to escalate privileges, violate user privacy while browsing, and access sensitive system resources. Researchers said the vulnerability demonstrates new security hazards that come with the deployment and use of agentic browsers that have AI built in.
Specifically, the flaw tracked as CVE-2026-0628 could have allowed malicious browser extensions with only basic permissions to escalate privileges to access the victim's camera and microphone without consent; take screenshots of any website; and access local files and directories, according to a report published today by researchers from Palo Alto Networks' Unit 42, who discovered the flaw.
"The vulnerability put any user of the new Gemini feature in Chrome at risk of system compromise if they had installed a malicious extension," Gal Weizman, senior principal researcher, Palo Alto Networks, tells Dark Reading. "Beyond individual users, the risk profile was significantly amplified within business and organizational environments."
In Chrome, the Gemini Live feature operates within a privileged browser side panel, granting it elevated capabilities to perform actions such as accessing on-screen content and interacting with local system resources to complete complex tasks. Indeed, many browsers now have agentic AI capabilities integrated into the browsing experience, allowing for quick dissemination of data, and executing complex, multistep operations that were previously impossible or required extensions and manual steps by the operator.
However, with this expanded capability and privileged access comes "a new and widened attack surface" that introduces new risks to both home and corporate users, Weizman wrote in the report. "This creates security implications that are not present in traditional browsers."
The Gemini AI Security Flaw & Its Fix
Researchers uncovered the flaw in an extension to the Gemini side panel with access to a basic permission set through the "declarativeNetRequests" API, which failed to maintain a property security boundary. This "allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel," Weizman wrote in the report.
This API function can be used for legitimate purposes, such as how AdBlock stops requests that could lead to privacy-undermining ads. In fact, it is allowed by design for some extension behavior, and would not be problematic if loaded into a typical browser tab, Weizman says.
However, in this case, it was the specific integration of Gemini AI with the browser that made the function potentially malicious, he said. The flaw allowed the same code injection to occur when the app was loaded within the new, trusted, and highly privileged Gemini side panel component, when "Chrome hooks it with access to powerful capabilities," Weizman wrote. "These include being able to read local files, take screenshots, access the camera and microphone and more, so the app could perform complex tasks. Being able to intercept it under that setting would have allowed attackers to gain access to these powers, too."
Palo Alto researchers demonstrated how an ordinary extension could hijack the Gemini panel and perform the aforementioned malicious activities in October; Google responded, was able to reproduce the exploit conditions, and subsequently patched the flaw in early January, according to the report.
Agentic AI Browsers Add Security Risk
The risk of vulnerabilities like this one exposing browsers to malicious activity increases as AI becomes more integrated into their design, Palo Alto researchers noted. That's due to the proactive nature of AI technology, which creates a new risk model because it is not just displaying content, as a typical browser does, but acting upon it as well.
"These agents can inherit a user's authenticated browser session and perform privileged actions inside enterprise applications, including modifying data or triggering workflows," Anupam Upadhyaya, senior vice president of product management for Palo Alto Networks' Prisma SASE, tells Dark Reading.
This, in turn, means that developers of agentic browsers need to rethink and bolster security, creating browsers with native security that is "continuous and policy-enforced — not bolted on after deployment," Upahyaya says. "Designers should build in real-time inspection of prompts, AI responses, and rendered content directly inside the browser, where users, data, and AI interact," he says.
Defenders in general also need to understand that this new attack surface is one that "traditional network and endpoint controls were never designed to monitor," and adjust their own strategies accordingly beyond these controls, Upahyaya says.
A good place to start would be by treating the browser as both "a primary attack surface and a potential control plane," he says. "That means gaining visibility into which AI browsers and extensions are in use; in-browser visibility into user navigation, uploads, copy/paste activity and extension behavior; and enforcing policy controls in real time before data leaves the browser."
Meridiano
