Vulnerability - Claude Extension Flaw Enables Zero-Click Attack

The Flaw

Cybersecurity researchers recently uncovered a significant vulnerability in Anthropic's Claude Google Chrome Extension. This flaw enables attackers to trigger malicious prompts simply by visiting any web page. According to Koi Security researcher Oren Yomtov, the issue stems from an overly permissive origin allowlist combined with a cross-site scripting (XSS) vulnerability in a CAPTCHA component. This means that attackers can silently inject commands into the extension, making it seem as if the user initiated them.

The vulnerability allows any subdomain matching the pattern (*.claude.ai) to send prompts to the Claude extension for execution. This is particularly concerning because it requires no user interaction—just visiting a compromised page is enough for the attack to occur. The XSS vulnerability in the Arkose Labs CAPTCHA component hosted on "a-cdn.claude[.]ai" enables the execution of arbitrary JavaScript code, which can then issue prompts to the extension without the user's knowledge.

What's at Risk

The potential consequences of this vulnerability are severe. Successful exploitation could allow attackers to access sensitive data such as access tokens and conversation history with the AI assistant. Furthermore, adversaries could perform actions on behalf of the victim, such as sending emails or requesting confidential information. This level of control over a user's browser raises significant security concerns, especially as AI assistants become more integrated into daily tasks.

Users may not even be aware that their browser is being manipulated. The attack can occur in the background, making it difficult to detect. As AI browser assistants gain more capabilities, they also become more attractive targets for cybercriminals. The implications of this vulnerability extend beyond individual users to organizations that rely on such tools for communication and data management.

Patch Status

Following responsible disclosure on December 27, 2025, Anthropic took swift action to address the vulnerability. They deployed a patch to the Chrome extension that enforces a strict origin check, requiring an exact match to the domain "claude[.]ai." This change significantly reduces the risk of unauthorized prompt injections. Additionally, Arkose Labs has fixed the XSS flaw on their end as of February 19, 2026, further strengthening the security of the component involved.

These patches are crucial in mitigating the risks associated with this vulnerability. Users are encouraged to update their extensions to the latest version to ensure they are protected against potential exploits. Keeping software up to date is one of the best defenses against such vulnerabilities.

Immediate Actions

For users of the Claude extension, it is vital to take immediate action to protect themselves. Here are some steps to consider:

• Update the extension: Ensure that you are using the latest version of the Claude extension to benefit from the security patches.
• Be cautious with web pages: Avoid visiting untrusted or suspicious websites that could exploit this vulnerability.
• Monitor account activity: Keep an eye on your accounts for any unusual activity that may indicate unauthorized access.
• Educate yourself: Stay informed about the latest cybersecurity threats and best practices to enhance your online safety.

By taking these proactive measures, users can better safeguard their information and reduce the risk of falling victim to such vulnerabilities.