▸ SECURE CONNECTION ▸ LATENCY: 4.2ms ▸ AGENTS: 17,432 ▸ THREAT LEVEL: NOMINAL
ROGUE TERMINAL v1.0 ESC to close
← Back to blog
April 6, 2026 by Rogue Security Research
agentic-browsergeminichromeCVEextension-securityASI02ASI05ASI07

Gemini Live Panel Hijack: When Browser Extensions Jump the Trust Boundary

Chrome just turned its AI assistant into a privileged browser component. That shift quietly changed the extension threat model.

Unit 42 disclosed CVE-2026-0628, a high severity vulnerability in Chrome’s new Gemini Live panel. A malicious extension with basic permissions could inject code into the Gemini panel and inherit its elevated capabilities.

CVE
2026-0628
High
Severity
0
User prompts required
Jan
Fix shipped

The Core Issue

Traditional browser security assumes extensions cannot control privileged browser components. Gemini Live broke that assumption by loading a powerful AI panel inside the browser chrome, then accidentally allowing extensions to intercept and modify its content using declarativeNetRequest rules.

Once injected, the attacker code runs inside the Gemini panel context, which has access to privileged capabilities like file access, camera, microphone, and screenshots.

Trust Boundary Violation

Extensions can edit ordinary web pages by design. They are not supposed to edit privileged browser panels. Gemini Live blurred that boundary, and CVE-2026-0628 let extensions jump it.

Attack Flow

[EXT]

Extension with basic permissions

[DNR]

declarativeNetRequest rule

[GEM]

Injected Gemini panel code

[SYS]

Camera, mic, files, screenshots

The attacker does not need to exploit memory corruption. The panel itself provides privileged APIs. The extension only needs to insert script into the panel.

Why This Matters For Agentic Browsers

Gemini Live is an early example of a larger shift. AI assistants are now embedded directly in browsers and given the same view the user has. That means they can see, click, and act on any site with privileged context.

When that assistant is compromised, every browser permission becomes an attack surface.

[CAMERA + MIC]
Silent capture without user consent. Traditional browser prompts do not apply when the privileged component is hijacked.
[LOCAL FILES]
Access to local files and directories through the Gemini panel. Extensions normally cannot read local files directly.
[SCREENSHOTS]
Capture screenshots of any HTTPS site. This bypasses tab level restrictions and can expose sensitive dashboards.
[PHISHING]
Hijacked panel can render trusted UI and trick users into entering credentials inside a browser controlled surface.

The New Extension Risk Model

Extensions used to be confined to web pages. Agentic browser panels sit above those pages and can control them. The moment that boundary blurs, extensions become a path to full browser level privileges.

Old Assumption
Extensions can only touch page content
Browser chrome is isolated
Privileges require user prompts
AI panel is just another page
New Reality
AI panels are privileged components
Extensions can be a bridge into the panel
Panel code has broader system access
Prompts and permissions are bypassable

OWASP Agentic AI Mapping

This vulnerability maps directly to the 2026 OWASP Agentic Top 10 categories:

ASI02 - Tool MisuseASI05 - Unexpected Code ExecutionASI07 - Insecure Inter-Agent CommsASI01ASI03ASI04ASI06ASI08ASI09ASI10

The key lesson is not about prompt injection. It is about privilege context. The AI panel is a privileged execution context, and extensions should never be able to alter it.

What Security Teams Should Do Now

01
Audit Extension Permissions
Treat declarativeNetRequest access as sensitive. It can alter response bodies and inject code into privileged contexts.
02
Isolate AI Panels
Ensure AI side panels run in processes that cannot be modified by extension level request interception.
03
Lock Down Screen and Camera Access
Require explicit user confirmation for camera, mic, and screenshot actions initiated by AI panels.
04
Monitor Panel Behavior
Track AI panel actions separately from page activity. Look for abnormal requests and unexpected file access.
05
Re-evaluate Extension Allowlists
The risk of a malicious or hijacked extension is higher in AI browsers. Reduce extension footprint across enterprise fleets.
06
Plan For Agentic Browser Incidents
Add AI panels to your threat model. Log them like privileged apps, not like UI features.

The Broader Shift

Agentic browsers are not just browsers with a chatbot. They are privileged automation engines embedded in a trusted UI. When one component is hijacked, the entire browsing environment becomes the attack surface.

The Gemini Live incident is a warning shot. As more browsers add autonomous panels, the extension model needs to be rethought from the ground up.

Rogue Security provides runtime security for agentic AI systems, including browser level monitoring and high risk tool enforcement.

Learn more at rogue.security