Manifold Security found two unpatched flaws in Claude for Chrome v1.0.80 where any browser extension can trigger nine hardcoded Claude prompts to silently read Gmail Google Docs and Calendar with CVSS scores reaching 9.6 Critical in Act without asking mode.
Imagine a perfectly innocent looking browser extension sitting inside your Chrome installation and quietly pushing your AI assistant to read through your entire Gmail inbox your latest Google Docs and your upcoming calendar without you ever clicking a single button or seeing a single popup.
That scenario no longer needs imagination. It sits documented with working proof of concept code confirmed against the latest Claude for Chrome version as of July 14 2026 and Anthropic has shipped eight updates without touching the specific code that makes the attack possible.
ClaudeBleed isTrusted Bypass Explained
Manifold Security head of research Ax Sharma first reported these two findings to Anthropic on May 21 2026 against Claude for Chrome version 1.0.72. Anthropic acknowledged both reports the following day.
The internal tracking issue covering the broader trust boundary class was marked resolved sometime before June 9 2026. Yet when Manifold verified the latest version 1.0.80 released July 7 2026 both findings reproduced identically with the content script and side panel handlers byte identical to the 1.0.72 source they originally tested.
The first and more immediately exploitable flaw lives inside the content script that Claude for Chrome injects into the claude.ai tab. Anthropic had previously added a dictionary of nine hardcoded prompt task IDs as a mitigation against an earlier disclosure from LayerX that showed any page could feed Claude arbitrary text.
The nine canned prompts include usecase gmail which reads recent Gmail and identifies promotional emails to unsubscribe usecase gdocs which opens the latest Google Doc and reads all comments and feedback usecase calendar which reads Google Calendar finds free slots and creates meetings usecase salesforce which modifies Salesforce leads and converts them to opportunities usecase doordash usecase zillow and three onboarding challenge prompts.
The content script listens for clicks on any DOM element matching the selector claude onboarding button and reads that element’s data task id attribute to forward the matching prompt to Claude’s side panel. The handler does not check the event.isTrusted property.

That single missing check means any other browser extension running a content script on claude.ai under the standard world MAIN mode can create a button element programmatically set its data task id attribute to any of the nine prompt identifiers and dispatch a synthetic click event.
The extension processes the synthesized event as if a real human clicked a real button because event.isTrusted gets ignored entirely. The reproduction fits into six lines of JavaScript visible from the claude.ai tab’s DevTools console.
The severity splits across two modes. In the default Ask before acting mode an approval modal appears before any sensitive action executes giving the victim a chance to see something unusual. In Act without asking mode which users enable during onboarding Claude executes the triggered prompt entirely silently with no visible indication that another extension pushed the action. Manifold scored the default mode scenario at CVSS 7.7 High and the Act without asking mode at CVSS 9.6 Critical.
The second finding involves architectural structure rather than a directly remote attack path. When the Claude side panel loads it reads a query parameter named skipPermissions from its own URL and if that value equals the string true the panel sets its permission mode to skip all permission checks and begins operating without per action consent.

No user gesture triggers this transition. No consent prompt appears before privileged mode activates. A HIGH RISK banner appears at the top of the panel afterward but it functions as a notification after the privileged session already started rather than as a gate that must be cleared before any action runs.
Manifold demonstrated this from the extension’s service worker DevTools by constructing a chrome.windows.create call with the side panel URL including skipPermissions equals true and watching the panel open directly in privileged mode with the amber send button color that Claude only renders in skip all permission checks state.

Anthropic’s stated position at closure was that the URL gets constructed only by the extension itself for tasks the user has already authorized to run unattended with no externally reachable path to set it. Manifold’s concern sits in the structural future risk dimension.
Any future regression where a new external message handler accepts URL strings or where a same extension XSS in the options or pairing pages exposes side panel URL construction would immediately combine with this finding to produce silent Critical impact execution. The fix the researchers proposed involves booting the side panel unconditionally in ask mode and requiring all permission mode transitions to happen through user gesture clicks inside the side panel UI.
ClaudeBleed Detection Mitigation And Defense Recommendations
Detection for this class of attack proves nearly invisible through traditional monitoring channels. A network gateway observes only authenticated HTTPS traffic to claude.ai. Endpoint detection tools see a browser extension running normally.

Nothing in conventional log sources looks unusual because the agent invokes a legitimate built in capability through a path that only differs from legitimate use at the event.isTrusted layer which sits entirely within the browser process rather than at any observable network or filesystem layer.
Users who run Claude for Chrome in production environments and have enabled Act without asking mode face the highest immediate exposure since that mode removes the approval modal that would otherwise give any indication of an unexpected prompt execution.
Disabling Act without asking mode and keeping the default Ask before acting behavior active reduces the CVSS score from 9.6 to 7.7 and introduces at minimum a visible approval modal before any sensitive action against Gmail Docs or Calendar runs.
Organizations managing Chrome browser environments through enterprise policy should evaluate whether any installed extensions carry content scripts declared against the claude.ai origin and whether those extensions come from verified internal sources rather than third party publishers.
Any extension with a world MAIN content script on claude.ai automatically carries the technical capability this flaw requires regardless of what the extension advertises as its purpose.
The one line fix Manifold proposed would resolve the synthetic click issue completely. Adding if not n.isTrusted then return at the top of the click handler rejects synthesized events while leaving legitimate user clicks completely unaffected.
That this single line remains absent across eight consecutive releases after the May 21 report suggests the fix either awaits a bundled architectural change or sits deprioritized behind other work.


