Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

Summary

Cybersecurity researchers disclosed a critical vulnerability in Anthropic's Claude Google Chrome Extension that allowed any website to silently inject malicious prompts without user interaction. The flaw chained an overly permissive origin allowlist with a DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component, enabling attackers to steal credentials, access conversation history, and perform actions on behalf of users. Anthropic patched the extension on December 27, 2025, and Arkose Labs fixed the XSS flaw on February 19, 2026.

Full text

Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website Ravie LakshmananMar 26, 2026Browser Security / Vulnerability Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page. The flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. "No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser." The issue chains two underlying flaws - An overly permissive origin allowlist in the extension that allowed any subdomain matching the pattern (*.claude.ai) to send a prompt to Claude for execution. A document object model (DOM)-based cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA component hosted on "a-cdn.claude[.]ai." Specifically, the XSS vulnerability enables the execution of arbitrary JavaScript code in the context of "a-cdn.claude[.]ai." A threat actor could leverage this behavior to inject JavaScript that issues a prompt to the Claude extension. The extension, for its part, allows the prompt to land in Claude's sidebar as if it's a legitimate user request simply because it comes from an allow-listed domain. "The attacker's page embeds the vulnerable Arkose component in a hidden <iframe>, sends the XSS payload via postMessage, and the injected script fires the prompt to the extension," Yomtov explained. "The victim sees nothing." Successful exploitation of this vulnerability could allow the adversary to steal sensitive data (e.g., access tokens), access conversation history with the AI agent, and even perform actions on behalf of the victim (e.g., sending emails impersonating them, asking for confidential data). Following responsible disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension that enforces a strict origin check requiring an exact match to the domain "claude[.]ai." Arkose Labs has since fixed the XSS flaw at its end as of February 19, 2026. "The more capable AI browser assistants become, the more valuable they are as attack targets," Koi said. "An extension that can navigate your browser, read your credentials, and send emails on your behalf is an autonomous agent. And the security of that agent is only as strong as the weakest origin in its trust boundary." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, browser security, cybersecurity, Vulnerability, web security, xss Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• domain — a-cdn.claude.ai
• domain — claude.ai