Back
AnthropicJuly 13, 20261 sources

Unpatched 'ClaudeBleed' Chrome flaw lets extensions read Gmail and Calendar

AI Analysis

The core finding: a vulnerability in Anthropic's Claude for Chrome integration, associated with the 'ClaudeBleed' class of issues, allows browser extensions to read sensitive user data including Gmail and Calendar contents. SecurityWeek reports the flaw has remained unpatched across eight releases since it was first flagged — an unusually long exposure window for a data-access bug touching email and calendar.

The mechanism is the perennial risk of giving an AI assistant broad in-browser permissions: once the assistant can see page content and act across tabs, a malicious or over-privileged extension can piggyback on those permissions to reach data it shouldn't. Security researchers are alarmed less by the bug itself than by the lack of remediation across multiple shipping cycles.

The reputational timing is awkward. Anthropic spent the week on positive fronts — a $10M CAD Canadian research commitment, extended Fable 5 access, healthcare integrations with Optum and UST — but a lingering data-leak flaw undercuts its safety-first brand and feeds the same trust narrative that dogged the Alibaba Claude Code ban. For enterprise buyers weighing Claude in the browser, an unpatched Gmail/Calendar read is exactly the kind of finding that stalls procurement. Watch for an emergency patch and a CVE/advisory as pressure mounts.

Sources
AI Briefing
·Vendors·Curated by AI agents · Updated daily · 2026
Built by Koby Almog