Browser AI panel hijacking: how to check which of your Chrome extensions can abuse elevated privileges
CVE-2026-0628 showed extensions with basic permissions could access your camera, mic, and files via Chrome's Gemini panel. Here's how to stay safe.
If you've been assuming that browser extensions only have as much power as their permission list shows, CVE-2026-0628 is going to ruin that assumption for you.
Palo Alto Networks Unit 42 publicly disclosed this vulnerability on March 2, 2026, after Google quietly patched it in early January. The short version: a Chrome extension requesting declarativeNetRequest combined with host permissions for gemini.google.com — permissions that individually appear benign under Manifest V3 — could intercept Chrome's native Gemini Live panel and gain access to your camera, microphone, local files, and the ability to screenshot any HTTPS page you're on. Not access to a website. Access through the browser itself.
The flaw is patched. But the pattern it reveals is not going away.
What the Gemini panel actually is — and why it's not a normal webpage
Most coverage of CVE-2026-0628 glossed over the detail that makes it interesting: the distinction between Gemini running in a browser tab and Gemini Live as a native panel matters enormously from a security perspective.
When you open gemini.google.com in a tab, it's a website. Extensions can interact with it the same way they interact with any other site. That's expected behavior. The browser's security model is built for it.
Gemini Live is different. It's baked directly into Chrome's browser interface — a privileged component that sits in the browser's own UI shell, not in a sandboxed web tab. That privileged status gives it resources that regular websites can't access: direct camera and microphone access without the usual permission dialog, local file and directory access, and the ability to take full screenshots of any HTTPS page you visit.
According to Palo Alto Networks Unit 42 researchers, "An extension influencing a website is expected. However, an extension influencing a component that is baked into the browser is a serious security risk."
The problem was that Chrome's extension security model didn't properly isolate the Gemini panel from extension interception. An extension using declarativeNetRequest rules paired with host permissions for gemini.google.com could intercept HTTPS requests to gemini.google.com/app inside the panel. Crucially, declarativeNetRequest alone — without matching host permissions — cannot intercept response bodies; but extensions that combine both (which is common for content-filtering tools) had a path into a component with near-system-level access to your hardware and files.
Unit 42 reported the issue to Google on October 23, 2025. Google patched it in early January 2026. Public disclosure followed on March 2, 2026 — responsible disclosure working as intended.
The permissions problem that makes this worse
Here's the detail that should make anyone cautious about their extension list: declarativeNetRequest is supposed to be the safe permission.
When Google redesigned the extension API with Manifest V3, a flagship change was replacing webRequest — which let extensions intercept and modify network traffic in real time, with full visibility into request contents — with the more constrained declarativeNetRequest. Under the new API, extensions declare rules upfront and the browser executes them. The extension never sees the raw traffic. This was explicitly positioned as a privacy and security improvement.
But "less dangerous than the most powerful API available" is not the same as "safe in all contexts." CVE-2026-0628 demonstrated that even a constrained, declarative API becomes a serious risk when the resource being intercepted carries elevated privileges.
The specific permission matters less than the combination of what an extension can do and what elevated-privilege components exist in the browser. Extensions with tabs, webRequest, scripting, or broad host permissions all have various paths to interact with privileged browser components as more AI features get integrated. Think about it from an attacker's perspective: you don't need a full-permission extension to cause damage. You find one with moderate permissions already installed on millions of machines, and you exploit whatever trust relationship it has with privileged browser features.
Why this matters even after the patch
Browser vendors are racing to integrate AI directly into the browser interface. Chrome has Gemini Live. Microsoft Edge has Copilot built into the sidebar. Firefox is expanding native integration with Mozilla's AI partnerships. These integrated features need elevated access to be useful — reading your screen, accessing local files, making calls to hardware like the camera. The security model for how browser extensions interact with these privileged native components is still being developed in real time.
Unit 42's research identified CVE-2026-0628 as an early example of a new vulnerability class: extensions gaining unintended access to privileged browser components rather than just web content. Every browser vendor building AI panels into their UI shell is now working in the same threat model.
For regular users, the practical risk today isn't CVE-2026-0628 specifically — it's already patched. The risk is the category of attack it demonstrates. Extensions you've had installed for months, with permissions that seemed reasonable when you installed them, are potential vectors for privilege escalation when future vulnerabilities in this class emerge — in Chrome, Edge, Firefox, or wherever else AI gets baked into the browser.
The update pace compounds this. Google announced a move to a two-week Chrome release cycle starting September 2026, partly in response to security pressure. Security patches often ship without detailed public explanations of what was fixed — that's intentional, to avoid handing attackers a roadmap before users apply the patch. The side effect is that users often have no idea whether an update they skipped closed a critical hole.
How to protect yourself
You can't retroactively close a patched vulnerability, but you can audit your extension surface before the next one hits.
1. Find which extensions have network-intercepting permissions
In Chrome, go to chrome://extensions, click "Details" on each extension, and check "Permissions." Look specifically for extensions requesting declarativeNetRequest, webRequest, or both. These extensions have the ability to interact with your browser's network traffic — the same capability class CVE-2026-0628 exploited.
Not all of these are dangerous. Ad blockers and privacy tools legitimately need network access. But you should know which ones have it and whether you trust those publishers with that level of access to your browsing activity.
You can look up any extension on Extenshi's catalog to see its full permission breakdown, version history, and security indicators before deciding whether to keep it.
2. Audit your full extension list and cut anything inactive
Every inactive extension is wasted attack surface. If you installed something six months ago and haven't thought about it since, remove it. The risk calculus is straightforward: if you're not getting value from an extension, you're accepting risk for no benefit.
Go through your list and challenge each extension to justify its presence. "I might need it someday" is not a security-valid reason to keep it. Extensions can be reinstalled in 30 seconds if you actually need them later.
3. Be skeptical of "AI enhancer" and "AI sidebar" extensions
Extensions that advertise "prompt management," "AI enhancement," "Gemini helper," or "AI sidebar customization" are specifically designed to interact with AI interfaces in your browser. Some are legitimate tools I've found useful. But it also means you're placing substantial trust in that extension's publisher — they're sitting next to the exact components that CVE-2026-0628 targeted.
Before installing any AI-adjacent extension, check their publisher's track record, the extension's update history, and whether they have a credible privacy policy. If a developer account got compromised, an AI panel extension would be exactly the kind of asset an attacker would want to inject malicious code into.
4. Create a clean browser profile for AI-heavy work
This advice sounds tedious until you think about what you're protecting. In Chrome, click your profile picture and create a new profile with zero extensions installed. Use that profile when you're working with Gemini Live or any other AI tool that integrates deeply with your browser's UI.
No extensions means no extension-based privilege escalation surface — for CVE-2026-0628 or any similar vulnerability that might emerge. Your AI sessions also stay isolated from your main browsing history and tracking. This takes about two minutes to set up and is probably the single most effective mitigation available to individuals right now.
5. Stop ignoring browser update notifications
CVE-2026-0628 was patched in January 2026. Users who weren't on automatic updates, or who had snoozed the "update pending" notification, were exposed for weeks after a fix was available — and they wouldn't have known it, because the public disclosure didn't come until March.
Make sure automatic updates are enabled in Chrome settings. If you see an update notification, apply it. The brief inconvenience of a browser restart is a small price for staying current with patched vulnerabilities.
The bigger shift happening here
CVE-2026-0628 is one data point in a pattern worth paying attention to. Browsers are becoming AI platforms. Native AI components are getting hardware access that regular web content never had. And the extension permission model — designed for the web, not for native-adjacent privileged components — wasn't built with this architecture in mind.
The pattern I keep seeing is that every time browsers gain new capabilities, extensions find ways to touch things they weren't supposed to touch. Gemini Live is just the latest version of that story. There will be more.
For users, the practical response is the same one that's always worked: know what extensions you have, keep the ones you actually use, and scrutinize anything with broad access to your network traffic or browser activity. The extension you're barely using is the one most likely to be forgotten — and the one most likely to be a vector when something new breaks.
How Extenshi can help
Understanding which extensions are genuinely risky requires visibility into their permissions at a level the Chrome Web Store listing doesn't make easy to parse. Extenshi's catalog indexes browser extensions with full permission breakdowns, security analysis, and risk indicators — so you can look up any extension and immediately see what access it has and whether it raises concerns.
Scan your extensions on Extenshi →
This article is based on publicly available security research disclosed by Palo Alto Networks Unit 42 on March 2, 2026 (originally reported to Google on October 23, 2025) and news reporting from The Hacker News. Google patched CVE-2026-0628 in early January 2026 and acknowledged the fix through the standard CVE disclosure process; as of the date of this article, no active exploitation of this specific vulnerability has been publicly reported. Google has not issued a public statement beyond the CVE acknowledgment. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
ClaudeBleed explained: how any Chrome extension can hijack Claude without a single permission
Any zero-permission extension can hijack Claude's AI session and exfiltrate your Gmail or GitHub data. Here's how ClaudeBleed works and how to protect yourself.
Man-in-the-prompt attacks: how to stop browser extensions from hijacking your AI conversations
Any browser extension can silently inject commands into ChatGPT, Gemini, and Claude. Here's how man-in-the-prompt attacks work and how to stay safe.
ShadyPanda: how to find browser extensions that turned malicious after you installed them
ShadyPanda ran 145 malicious extensions on Chrome and Edge for 6 years, from affiliate fraud to keylogging spyware with 4.3M installs. How to check yours.