Cybersecurity researchers have revealed details of a now-patched security flaw in Google Chrome that could allow attackers to escalate privileges and gain access to local files on the system.
Vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), described as a case of inadequate policy enforcement in the webview tag. It was patched by Google in early January 2026 to version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux.
According to a description on the NIST National Vulnerability Database (NVD), “Insufficient policy enforcement in the webview tag in Google Chrome before 143.0.7499.192 allowed an attacker who persuaded a user who installed a malicious extension to inject script or HTML into a privileged page via a crafted Chrome extension.”
Gal Weissman, a researcher at Palo Alto Networks Unit 42 who discovered and reported the flaw on November 23, 2025, said the issue may have allowed a malicious extension with basic permissions to seize control of the new Gemini Live panel in Chrome. The panel can be launched by clicking the Gemini icon at the top of the browser window. Google added Gemini integration to Chrome in September 2025.
This attack could be exploited by an attacker to gain privilege escalation, allowing them to access the victim’s camera and microphone without permission, take screenshots of any website, and access local files.
The findings highlight an emerging attack vector arising from baking artificial intelligence (AI) and agentic capabilities directly into web browsers to facilitate real-time content summarization, translation, and automated task execution, as the same capabilities can be misused to perform privileged actions.
The problem, at its core, is that these AI agents need to be granted privileged access to the browsing environment to perform multi-step operations, creating a double-edged sword when an attacker embeds hidden signals in a malicious web page, and a victim user is tricked into accessing it through social engineering or some other means.
Hints can instruct the AI assistant to perform actions that would otherwise be blocked by the browser, leading to data exfiltration or code execution. Worse, the web page can manipulate the agent to store instructions in memory, causing it to persist throughout the session.
In addition to the expanded attack surface, Unit 42 said the integration of the AI side panel into the Agentic browser brings back classic browser security risks.
“By placing this new component in a high-privilege context of the browser, developers may inadvertently create new logical flaws and implementation vulnerabilities,” Weisman said. “This may include vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks that can be exploited by low-privileged websites or browser extensions.”
While browser extensions operate based on a set set of permissions, the successful exploit of CVE-2026-0628 weakens the browser security model and allows an attacker to run arbitrary code on “gemini.google”.[.]com/app” through the browser panel and gain access to sensitive data.
“An extension with access to the basic permission set through the DeclarativeNetRequest API allows permissions that could enable an attacker to inject JavaScript code into the new Gemini panel,” Weisman said. “When the Gemini app is loaded within this new panel component, Chrome gives it access to powerful capabilities.”
It’s worth noting that the declarativeNetRequest API allows extensions to intercept and change the properties of HTTPS web requests and responses. It is used by ad-blocking extensions to prevent them from issuing requests to load advertisements on web pages.
In other words, all an attacker needs to do is trick an unsuspecting user into installing a specially crafted extension, which can then inject arbitrary JavaScript code into the Gemini side panel to interact with the file system, take screenshots, access the camera, turn on the microphone – all features needed for the AI assistant to perform its functions.
Unit 42 said, “The difference in what type of component a Gemini app loads is the line between design behavior and a security flaw.” An extension affecting a website is expected. However, an extension affecting any component baked into the browser is a serious security risk.”
