Cybersecurity researchers have disclosed a critical vulnerability in Google Chrome, identified as CVE-2026-0628, that could have allowed attackers to escalate privileges and access local files on a user’s system. This flaw, which has since been patched by Google, highlights emerging security challenges in the integration of artificial intelligence (AI) directly into web browsers. The vulnerability, carrying a CVSS score of 8.8, was addressed in early January 2026 with the release of Chrome versions 143.0.7499.192/.193 for Windows and Mac, and 143.0.7499.192 for Linux.
The issue stemmed from insufficient policy enforcement within the WebView tag of Google Chrome. According to a description on the NIST National Vulnerability Database (NVD), an attacker could have tricked a user into installing a malicious extension. This extension could then inject scripts or HTML into privileged pages, effectively hijacking the browser’s capabilities. Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported the flaw on November 23, 2025. He noted that the vulnerability could have allowed extensions with even basic permissions to gain control of Chrome’s new Gemini Live panel, introduced in September 2025.
AI Integration in Browsers Presents New Security Risks
The exploitation of CVE-2026-0628 could have led to significant privilege escalation for attackers. This would enable them to access sensitive user data, including recordings from the camera and microphone, take unauthorized screenshots, and read local files. The findings underscore a burgeoning attack vector associated with embedding AI and agentic capabilities directly into web browsers for tasks like content summarization, translation, and automated operations. The same functionalities leveraged for user convenience could potentially be misused by malicious actors.
At its core, the problem lies in the necessity of granting AI agents privileged access to the browser environment to perform complex, multi-step operations. This creates a critical security challenge when attackers can embed hidden prompts within malicious web pages. If a user is deceived into accessing such a page, the AI assistant could be instructed to execute actions that are typically restricted by browser security measures, potentially leading to data exfiltration or unauthorized code execution. The situation could be further exacerbated if the malicious web page manipulates the AI agent to retain these instructions in its memory, allowing them to persist across different browsing sessions.
The Double-Edged Sword of Browser AI
Beyond an expanded attack surface, the integration of AI features like the Gemini side panel in agentic browsers revives classic security risks. Weizman explained that embedding these new components within the high-privilege context of the browser could inadvertently create new logical flaws and implementation weaknesses, such as vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks. These could then be exploited by less-privileged websites or malicious browser extensions.
Although browser extensions are designed to operate within a defined set of permissions, the successful exploitation of CVE-2026-0628 circumvented this security model. It allowed an attacker to run arbitrary code within the “gemini.google[.]com/app” domain via the browser panel, thereby gaining access to sensitive user data. The declarativeNetRequest API, which allows extensions to intercept and modify web requests, played a role in this vulnerability. An extension with permitted access through this API could have been leveraged to inject JavaScript code into the Gemini panel.
When the Gemini application loads within this newly integrated panel, Chrome grants it access to powerful capabilities. The critical distinction, according to Unit 42, is between an extension influencing a standard website, which is expected behavior, and an extension influencing a component integrated directly into the browser. The latter presents a significant security risk. Essentially, an attacker only needs to persuade an unsuspecting user to install a specially crafted extension. This extension could then inject arbitrary JavaScript into the Gemini side panel, enabling it to interact with the file system, capture screenshots, access the camera, and activate the microphone—all the functionalities an AI assistant needs to perform its intended tasks.
Google Chrome has since patched this significant security flaw, reiterating the ongoing need for vigilance and timely updates as AI capabilities become increasingly intertwined with everyday digital tools. Users are advised to ensure their Chrome browser is updated to the latest version to benefit from these security enhancements. The industry will likely witness continued efforts to address the unique security challenges posed by integrated AI agents in browsers, focusing on stronger policy enforcement and robust sandboxing mechanisms.