Published: 2026-03-09
Categories: AI Security, Browser Security, Vulnerability Management, Agentic AI, Privilege Escalation
Browser-Integrated AI Panel Hijack: CVE-2026-0628 and the Emerging Attack Surface of Embedded AI
Cloud Security Alliance AI Safety Initiative | Research Note | March 9, 2026
Key Takeaways
Two coordinated disclosures published during the first week of March 2026 reveal a nascent but consequential attack surface: the browser-embedded AI panel. The following findings summarize the core technical and strategic implications examined in this note.
- CVE-2026-0628, dubbed “Glic Jack,” is a high-severity (CVSS 8.8) privilege escalation vulnerability in Google Chrome’s Gemini Live side panel that allowed browser extensions with basic permissions to hijack the AI assistant and access camera, microphone, local files, and screenshots from any open website [1][2].
- The root cause was a policy enforcement gap: Chrome engineers did not include the
chrome://glicWebView in the extension blocklist that protects other privileged browser components, allowing extensions to use thedeclarativeNetRequestAPI — normally used for ad filtering — to inject arbitrary JavaScript into the AI panel’s elevated execution context [1][3]. - A parallel disclosure by Zenity Labs identified a related family of vulnerabilities, “PleaseFix,” in the Perplexity Comet agentic browser, suggesting that the problem may extend beyond a single vendor and could represent a structural challenge common to the embedding of autonomous AI agents in browser platforms [4].
- The vulnerability class is distinct from traditional browser extension abuse because AI panels operate with capabilities — real-time microphone access, filesystem traversal, screenshot capture — that conventional browser tabs do not possess, elevating the potential harm from a garden-variety extension compromise to a full ambient-access surveillance capability [2][3].
- Both vulnerabilities were responsibly disclosed and patched prior to public reporting, but the underlying architecture challenge persists: as browsers deepen AI integration, each new capability surface must be individually hardened against lower-privilege code paths that now exist in the same process space [4][5].
Background
The embedding of AI assistants directly into web browsers represents a meaningful departure from the prior model in which AI capabilities were accessed through discrete web applications. Rather than navigating to a standalone AI chat interface, users of Chrome’s Gemini Live feature, Perplexity’s Comet browser, and similar products interact with AI agents that are architecturally resident in the browser itself — able to observe the user’s active tabs, manipulate page content, interact with locally stored files, and access device hardware in ways that web applications could not without explicit user permission grants. This integration is intended to enable ambient assistance, real-time content summarization, and autonomous task execution on behalf of the user.
The security model governing at least some of these embedded AI panels — as CVE-2026-0628 and PleaseFix demonstrate — has not kept pace with the capability rollout, though the full landscape varies by vendor and product. Traditional browser security architecture treats the tab as the primary isolation boundary, with extension permissions calibrated against the assumption that the most sensitive operations an extension might perform involve intercepting or modifying web traffic. The Gemini Live panel — hosted at the internal chrome://glic URL — operates under a fundamentally different capability profile than an ordinary browser tab, yet, as CVE-2026-0628 demonstrated, Chrome’s policy enforcement infrastructure did not initially recognize this distinction. The oversight meant that an extension granted routine permissions could interact with the Gemini panel in ways that would not have been possible against any hardened browser component.
Palo Alto Networks Unit 42 researcher Gal Weizman identified and reported the vulnerability to Google on October 23, 2025, under responsible disclosure guidelines [1]. Google released a patch in early January 2026, incorporated into Chrome versions 143.0.7499.192/.193 for Windows and macOS and 143.0.7499.192 for Linux [3]. Public technical disclosure by Unit 42 followed on March 2, 2026, widely reported under the codename “Glic Jack” — a contraction of “Gemini Live in Chrome hijack” [1][2]. The coordinated disclosure window provided enterprise and consumer deployments the opportunity to apply the patch before exploit techniques were widely circulated, though the gap of roughly ten weeks underscores the urgency organizations should attach to browser update cadence in environments where AI features are enabled.
This analysis reflects publicly available information as of March 9, 2026; readers should verify current patch status and vendor advisories at time of use.
Security Analysis
Vulnerability Mechanics
The core flaw in CVE-2026-0628 lies in the intersection of two Chrome subsystems: the WebView tag that renders the Gemini panel, and the declarativeNetRequest API that extensions use to define rules intercepting or modifying HTTPS requests. Chrome maintains a blocklist of internal browser components that extensions are prohibited from reaching through this API; the chrome://glic WebView hosting the Gemini Live panel was absent from that blocklist [1][2]. As a consequence, an extension with declarativeNetRequest permissions — a permission set commonly granted to ad blockers, privacy tools, and content filters, and thus unremarkable from a user or enterprise review perspective — could define rules that intercepted requests originating from the Gemini panel context and injected arbitrary JavaScript in response.
The criticality of this attack chain lies not in the extension permission itself, which is genuinely low-trust, but in what the injection target can do. When a user opens the Gemini Live side panel, the panel is not operating as a conventional web page. It has been granted by Chrome a set of capabilities — persistent access to the device microphone and camera for voice interaction, the ability to capture screenshots of any loaded HTTPS page, and read access to local filesystem paths for file attachment and analysis — that exist nowhere in the ordinary web application permission model [2][3]. An extension injecting JavaScript into this context does not receive its own permissions; it inherits the panel’s. The privilege escalation is therefore categorical: an extension that could not have accessed a user’s microphone through any API it legitimately held could, via this vulnerability, leverage the Gemini panel’s already-granted microphone access as a proxy. The attack surface is effectively an ambient access capability that a less-privileged process can silently adopt.
The attack requires a user to have installed a malicious or compromised extension and to have opened the Gemini Live panel during the same browser session — conditions that are not unreasonably strict in environments where employees actively use Gemini Live for productivity tasks and where extension vetting may not be rigorous. Social engineering techniques to encourage extension installation are well-documented and widely deployed; the additional step of prompting a Gemini interaction could plausibly be accomplished through a crafted webpage that embeds language encouraging the user to consult Gemini, though this specific attack path has not been publicly demonstrated in the wild.
The Privilege Inversion Problem
A useful analytical frame for understanding this vulnerability class — which this note terms the privilege inversion problem — describes the structural condition in AI-augmented browsers where capability and trust become decoupled. Conventional browser security assumes a monotonically increasing relationship between capability and trust: more-trusted components — browser internals, system processes — possess more capability, while less-trusted code — extensions, web content — operates under tighter constraints. AI panels break this assumption. By design, the Gemini panel must be granted substantial capabilities to fulfill its function as an ambient assistant, making it one of the most privileged execution contexts in the browser while simultaneously being one of the most complex and attack-surface-rich — it processes untrusted web content, executes network requests, and interprets user instructions expressed in natural language, all within a context that holds hardware access permissions.
The vulnerability disclosed by Unit 42 represents, to the authors’ knowledge, the first publicly documented case of an attacker-controlled lower-privilege component successfully escalating into an AI panel context, but the structural conditions that produced it are present wherever AI assistants are embedded in software platforms that also host extension or plugin ecosystems. Products such as the Microsoft Edge Copilot panel and Firefox’s emerging AI integration features may occupy analogous architectural positions, though detailed trust boundary documentation for each has not been publicly disclosed at the time of writing. Perplexity Comet’s agentic browsing model similarly sits in this category: a high-capability component embedded in a platform that also permits relatively low-trust third-party code to run in adjacent execution contexts [4][5].
PleaseFix and the Wider Agentic Browser Threat Landscape
On March 4, 2026, Zenity Labs published disclosure of “PleaseFix,” a family of vulnerabilities affecting Perplexity Comet, under the sub-family name “PerplexedBrowser” [4]. Where CVE-2026-0628 involved a technical misconfiguration in Chrome’s policy enforcement, PleaseFix leveraged indirect prompt injection — the technique of embedding adversarial instructions in content that an AI agent will autonomously process — to achieve two categories of impact. The first exploit was zero-click in character: an attacker-controlled trigger, such as a calendar invite that the Comet agent processes autonomously during routine workflow execution, caused the agent to access and exfiltrate local files to an attacker-controlled endpoint while returning expected results to the user. The second exploit manipulated the agent’s authorization flow to abuse password manager integrations, enabling credential theft or full account takeover within authenticated sessions without directly exploiting the password manager itself [4].
The Zenity disclosure is significant in combination with CVE-2026-0628 because the two vulnerabilities arrive through different vectors — technical API misuse versus semantic manipulation of AI behavior — yet converge on the same critical impact: an attacker who controls content the AI agent will process can direct that agent’s elevated capabilities against the user’s interests. Michael Bargury, CTO of Zenity Labs, characterized the risk in terms of agent inheritance: “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted.” [4] This framing aligns with the broader concern that agentic AI systems create a pattern analogous to the classical confused deputy problem, where the agent — rather than a system process — is the trusted party whose authority is redirected by a less-privileged or untrusted input.
| Vulnerability | Affected Product | Attack Vector | Capabilities Exposed | Disclosure |
|---|---|---|---|---|
| CVE-2026-0628 (Glic Jack) | Google Chrome / Gemini Live | Malicious extension via declarativeNetRequest API |
Camera, microphone, screenshots, local files | Mar 2, 2026 [1] |
| PleaseFix / PerplexedBrowser (Exploit 1) | Perplexity Comet | Indirect prompt injection via calendar invite | Local filesystem read and exfiltration | Mar 4, 2026 [4] |
| PleaseFix / PerplexedBrowser (Exploit 2) | Perplexity Comet | Indirect prompt injection via agent workflow | Password manager credentials, account takeover | Mar 4, 2026 [4] |
Implications for Enterprise Deployments
Organizations that have deployed Chrome or Comet with AI features enabled across employee workstations face several converging exposures. First, the patch for CVE-2026-0628 was released on January 6, 2026, but enterprise browser deployments often operate on managed update schedules, which can introduce a window between patch availability and universal deployment. Security teams should audit browser version distribution to confirm that no endpoints remain on pre-143.0.7499.192 Chrome builds [3]. Second, organizations that rely on extension allowlisting as a primary browser security control should recognize that CVE-2026-0628 illustrates the limits of permission-level review: the declarativeNetRequest permission is held by a large category of common productivity extensions — including ad blockers and privacy tools — making wholesale blocking potentially disruptive to legitimate workflows. Enterprise teams should evaluate this tradeoff in their specific environments rather than treating the permission as an unconditional disqualifier, and its presence on a submitted extension would not trigger elevated scrutiny under most review frameworks.
Third, the prompt injection pathway demonstrated by PleaseFix highlights a threat vector that enterprise security controls are largely unprepared to address. Traditional endpoint detection and response systems, email security gateways, and DLP solutions do not inspect the semantic content of AI agent instructions or detect when a workflow has been manipulated to execute unauthorized file access. OpenAI has publicly characterized prompt injection as unlikely to ever be “fully solved,” given its fundamental similarity to social engineering [5], suggesting that organizations cannot rely on vendors to eliminate this class of vulnerability through product updates alone. Enterprise risk posture must account for agentic AI as a new attack path that bypasses conventional tool-based controls.
Recommendations
Immediate Actions
Enterprise security teams should begin by confirming the patch status of all managed Chrome deployments. Browser version data is queryable through enterprise management platforms such as Google Admin Console, Microsoft Intune, and JAMF, and should be cross-referenced against endpoint inventory to ensure no endpoints remain on pre-143.0.7499.192 Chrome builds [3]. Organizations that have not yet established a formal process for tracking browser version distribution across managed endpoints should treat this gap as a priority remediation item independent of this specific CVE.
Alongside patch verification, security teams should audit browser extension inventories for any extension holding declarativeNetRequest permissions that was not explicitly approved through a formal review process. While the CVE-2026-0628 patch removes the specific exploitation path, extensions with this permission warrant elevated scrutiny as a class, and the audit exercise will surface any extensions that reached endpoints outside standard procurement channels.
Organizations should also assess whether the Gemini Live panel or equivalent agentic browser features are necessary for documented organizational workflows. Where they are not, disabling these features through enterprise browser policy eliminates the capability surface entirely. For environments where agentic features are enabled, users should be informed that the AI panel operates with hardware access permissions — including microphone, camera, screenshot capture, and local file access — that represent a distinct and elevated trust boundary relative to ordinary browser tabs.
Short-Term Mitigations
Enterprise security teams should develop and publish internal guidance on AI-enabled browser features that explicitly addresses extension co-residency risk. Users who employ AI panels for sensitive work should be advised to close the panel when installing or testing new extensions, and extension installation events on managed endpoints should generate log entries reviewed by security operations.
Organizations deploying agentic browser products such as Perplexity Comet should implement controls that limit the scope of agent-executable actions, particularly those involving local filesystem access, credential stores, and outbound data transmission. Where vendors provide agent permission scope controls, these should be configured to the minimum required for the documented use case rather than left at default. Security teams should request documentation from browser AI vendors describing the trust model governing what sources of content can influence agent behavior, as indirect prompt injection risk scales directly with the breadth of content the agent autonomously processes.
Browser security policy should be reviewed and updated to incorporate AI panel capabilities as a distinct risk category. Existing policies that focus on extension permissions, web content filtering, and data loss prevention were authored before AI panels introduced hardware access capabilities into the browser threat model. Updated policies should address the conditions under which AI panel features may be enabled, the review process for extensions permitted to co-reside with those features, and the incident response procedures applicable when AI panel behavior appears anomalous.
Strategic Considerations
The structural challenge that CVE-2026-0628 and PleaseFix reveal — that AI capabilities embedded in multi-tenant software platforms create novel privilege escalation surfaces — will not be resolved by a single patch cycle. Browser vendors face the difficult architectural problem of isolating high-capability AI components from the extension and web content layer without degrading the ambient assistance functionality that motivates the integration in the first place. Security organizations should monitor the evolution of browser security architectures as vendors respond to this emerging threat class, and should engage with vendor security programs to advocate for clear documentation of AI panel trust boundaries, formal inclusion of AI components in extension blocklists, and adversarial review of prompt injection pathways that could redirect agentic capabilities.
At the organizational level, the emergence of agentic browsers as a significant attack surface represents an argument for incorporating AI browser features into threat modeling exercises. Red team engagements and penetration tests targeting environments with AI-enabled browsers should explicitly include AI panel hijack and indirect prompt injection scenarios, as conventional test plans focused on web application exploitation and credential attacks are unlikely to surface these vectors without explicit scope extension. The MAESTRO threat modeling framework’s emphasis on systematically characterizing agent capability surfaces, trust boundaries, and privilege escalation pathways provides a structured methodology for this work [6].
CSA Resource Alignment
The vulnerabilities analyzed in this note map to several active areas of CSA guidance. MAESTRO, the CSA agentic AI threat modeling framework, is directly applicable: its hierarchical risk model addresses the category of lower-trust components exploiting the capabilities of higher-trust agents, and its guidance on agent trust boundary definition should inform how organizations assess AI panel deployments [6]. Security teams should apply MAESTRO’s Layer 1 (Foundation Model) and Layer 4 (Agent Runtime) analysis to their browser AI deployments to identify analogous misconfiguration risks.
The CSA AI Controls Matrix (AICM) v1.0 provides a controls framework applicable to this threat class. Domain areas covering AI supply chain security, shared security responsibility, and agentic AI governance are relevant to organizations making decisions about browser AI feature enablement, extension vetting, and vendor trust assessment. Organizations using the AICM as a controls baseline should consider whether their current control coverage adequately addresses the browser as a deployment platform for agentic AI capabilities.
The CSA Cloud Controls Matrix (CCM) threat and vulnerability management domain (TVM) applies to the patch management dimension of this note: the period between the January 6, 2026 Chrome patch release and universal enterprise deployment represents an exposure window that CCM TVM controls are designed to minimize. Enterprises should review whether their browser update cadence meets the patch SLA commitments defined in their CCM-aligned control implementations.
CSA’s Zero Trust guidance is also relevant to the PleaseFix scenario. Zero Trust principles — continuous verification, least-privilege access, and micro-segmentation — apply to agentic AI systems in the same way they apply to human users and service accounts. An agent that is granted file system access, credential store interaction, or outbound network capability broader than the narrowly defined task it performs violates least-privilege principles and creates the conditions for the confused-deputy exploitation pattern that PleaseFix demonstrates. Organizations applying Zero Trust architectures should explicitly extend their privilege minimization and access verification requirements to AI agents operating within managed environments.
The CSA STAR program provides organizations a mechanism for assessing AI service providers against documented security controls. As agentic browser vendors grow into a recognized product category, security teams should require STAR-registered assessments or equivalent third-party security documentation as a condition of enterprise deployment.
References
[1] Palo Alto Networks Unit 42, “Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel,” Palo Alto Networks Unit 42 Blog, March 2, 2026. https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
[2] S. Lakshmanan, “New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel,” The Hacker News, March 2026. https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html
[3] Vulert, “CVE-2026-0628: Chrome Gemini Panel Privilege Escalation,” Vulert Blog, March 2026. https://vulert.com/blog/chrome-cve-2026-0628-gemini-panel-privilege/
[4] Zenity Labs / Help Net Security, “The vulnerability that turns your AI agent against you,” Help Net Security, March 4, 2026. https://www.helpnetsecurity.com/2026/03/04/agentic-browser-vulnerability-perplexedbrowser/
[5] OpenAI, “Hardening ChatGPT Atlas against prompt injection attacks,” OpenAI Blog, 2025. https://openai.com/index/hardening-atlas-against-prompt-injection/
[6] Cloud Security Alliance, “MAESTRO: Agentic AI Threat Modeling Framework,” CSA, 2025. https://cloudsecurityalliance.org/ (Note: URL resolves to CSA homepage; readers should search the CSA publications library for the current MAESTRO document permalink.)
Additional Reading
The following sources cover CVE-2026-0628 and corroborate the core facts presented in this note. They are provided as supplemental references for readers seeking additional coverage.
- Malwarebytes, “Chrome flaw let extensions hijack Gemini’s camera, mic, and file access,” Malwarebytes Blog, March 2026. https://www.malwarebytes.com/blog/news/2026/03/chrome-flaw-let-extensions-hijack-geminis-camera-mic-and-file-access
- SOCRadar, “CVE-2026-0628: Chrome ‘Gemini Live’ Side Panel Injection Bug,” SOCRadar Blog, March 2026. https://socradar.io/blog/cve-2026-0628-chrome-gemini-live-injection-bug/
- The Register, “Chrome AI panel became privilege escalator for extensions,” The Register, March 3, 2026. https://www.theregister.com/2026/03/03/google_chrome_bug_gemini/
- Dark Reading, “Bug in Google’s Gemini AI Panel Opens Door to Hijacking,” Dark Reading, March 2026. https://www.darkreading.com/endpoint-security/bug-google-gemini-ai-panel-hijacking