Researchers from Palo Alto Networks Unit 42 have disclosed a critical vulnerability in Google Chrome that allowed malicious browser extensions to take control of the Gemini Live AI panel and gain elevated access to the user’s camera, microphone, and local files. The flaw, tracked as CVE-2026-0628 with a CVSS score of 8.8, has been patched by Google but highlights deep structural risks in integrating AI assistants directly into web browsers.
How CVE-2026-0628 Exposed the Gemini Live AI Panel
The vulnerability stemmed from incomplete security isolation in the Chrome component responsible for rendering the Gemini Live panel. This panel is loaded via an internal URL, chrome://glic, inside a WebView component and was introduced in September 2025 as a native, high-privilege AI assistant tightly integrated with Chrome and gemini.google.com.
According to Unit 42 researcher Gal Weizman, who reported the issue to Google in November 2025, extensions with only a basic permission set could inject arbitrary JavaScript into the Gemini Live context by abusing the declarativeNetRequest (DNR) API. This API, widely used by ad blockers and traffic filters, lets extensions intercept and modify HTTPS requests and responses.
The design flaw was that the WebView instance for chrome://glic was not excluded from the scope of declarativeNetRequest rules. As a result, extensions could manipulate not just ordinary websites but also this highly privileged internal browser component.
Under normal circumstances, extensions influencing page content is an expected and controlled risk: users explicitly grant permissions, and the impact is confined to web pages. In this case, however, extensions were able to interfere with code running inside a system-level Chrome component, undermining the browser’s privilege separation model and significantly escalating the security impact.
Abusing Chrome Extensions to Hijack High-Privilege AI Features
Unlike a standard browser tab, the Gemini Live AI panel operates as part of Chrome itself, in a more trusted and privileged environment. To deliver assistant capabilities, it is allowed to read and process local files, capture screenshots, and access the camera and microphone, as well as interact more deeply with the user’s system environment.
An attacker only needed to trick the user into installing a malicious Chrome extension—for example via a phishing site, a fake “performance optimizer,” or an imitation of a popular productivity tool. Once installed, the extension could:
• Modify network responses associated with Gemini Live traffic using declarativeNetRequest.
• Inject custom JavaScript into the Gemini Live WebView context.
• Piggyback on the Gemini Live panel’s enhanced privileges to access camera, microphone, screenshots, or local data.
This scenario is aligned with existing trends. Security reports from vendors such as Google and third-party researchers have repeatedly documented malicious or compromised extensions that began as legitimate tools and later turned into spyware, ad fraud modules, or data theft tools after a silent update. The Gemini Live bug amplified this already serious risk by attaching it to a privileged AI component rather than a normal site.
AI Assistants in the Browser as a New Attack Surface
The incident around CVE-2026-0628 underscores a broader shift: AI agents embedded in the browser create a new class of security risks. To function effectively, AI assistants require broader access to user context, browser state, and sometimes local resources—precisely the data that attackers most want to reach.
Prompt injection and persistent AI compromise
One of the most significant threats is prompt injection. A malicious web page can embed hidden instructions—visible to the AI but not obvious to the user—that cause the assistant to perform actions such as opening sensitive files, reading tokens from other tabs, or exfiltrating pieces of the screen. These are operations that standard JavaScript would never be permitted to perform under normal browser security policies.
Risk increases further when AI agents retain memory across sessions. In such designs, a single visit to a compromised or malicious website can “poison” the assistant’s internal state, creating a long-term data leakage channel or a persistent method for bypassing safeguards.
From a security architecture perspective, placing AI components in a high-privilege context raises the likelihood and impact of logical flaws, XSS in service interfaces, privilege escalation bugs, and side-channel attacks that could be exploited by less-privileged web content or extensions.
Patch Status and Practical Security Recommendations
Google has addressed CVE-2026-0628 by releasing security updates for Chrome: versions 143.0.7499.192/.193 for Windows and macOS and 143.0.7499.192 for Linux. Users should verify that their browser is updated, as security fixes are delivered primarily through version upgrades.
For end users, the Gemini Live vulnerability reinforces several essential practices:
• Install extensions only from trusted sources: Prefer well-known publishers with a track record and many consistent reviews.
• Review permissions carefully: Be suspicious of extensions that request access to “all sites” or to sensitive data without a clear need.
• Regularly audit installed extensions: Remove add-ons that are unused, outdated, or whose purpose is unclear.
In enterprise environments, organizations should implement centralized extension policies, restricting installation to a vetted allowlist and monitoring for unauthorized or newly installed plugins across the fleet.
For browser and AI platform developers, this case is a clear signal to rethink threat models for in-browser AI agents. Key measures include strict isolation of high-privilege components, clear boundaries between WebView and extension APIs, explicit exclusion of internal URLs such as chrome:// resources from declarativeNetRequest rules, and rigorous application of the principle of least privilege to AI panels.
The rapid expansion of AI-driven capabilities in browsers offers significant usability and productivity benefits, but it also magnifies the consequences of design mistakes. As AI becomes more deeply integrated into Chrome and operating systems, robust isolation from untrusted code—especially web content and extensions—must be treated as a foundational requirement, not an afterthought.
