Cybersecurity researchers from Palo Alto Networks have uncovered a high-severity vulnerability affecting the AI-powered Gemini panel in the Google Chrome browser. The issue, tracked as CVE-2026-0628, was discovered by the company’s threat intelligence division Unit 42 and has since been patched by Google in early January 2026.
The flaw impacted “Gemini Live in Chrome,” the side panel interface used to access the AI assistant Gemini directly within the browser.
Experience: What Security Researchers Found
Unit 42 researchers identified a privilege escalation vulnerability, sometimes referred to as a “privilege jump.” Normally, Chrome extensions operate within strictly defined permission boundaries. However, the researchers discovered that a malicious browser extension could manipulate how the Gemini web application loads inside Chrome’s AI side panel.
Unlike a standard browser tab, the Gemini side panel operates with elevated browser privileges. Because it is treated as a trusted browser interface, influencing what content loads inside it can allow attacker-controlled code to run with more capabilities than the extension itself is allowed.
The vulnerability specifically affected Gemini when accessed through the Chrome side panel, not when the AI assistant was opened in a regular browser tab.
Expertise: How the Exploit Worked
The exploit relied on request-modification capabilities available to Chrome extensions. A malicious extension with basic permissions could intercept and modify network resources associated with the Gemini web application.
Researchers found that the extension could:
Intercept JavaScript resources requested by the Gemini interface
Modify those resources before they were rendered in the side panel
Inject attacker-controlled code into the Gemini execution environment
Because the Gemini side panel runs in a more privileged browser process, the injected code could execute within that higher-trust environment. Importantly, the extension itself did not gain new permissions; instead, it manipulated the content pipeline feeding the privileged component.
This allowed the attacker’s code to effectively “ride along” into a stronger execution context, creating the privilege escalation condition.
Authoritativeness: Potential Security Risks
If successfully exploited, CVE-2026-0628 could have allowed attackers to perform sensitive actions including:
Accessing local files and directories
Capturing screenshots of browsing sessions
Activating camera or microphone capabilities
Running phishing attacks within the trusted Gemini interface
The attack required no additional user interaction beyond installing a malicious extension and opening the Gemini panel, making it particularly concerning from a security standpoint.
Trustworthiness: Disclosure and Fix
Palo Alto Networks responsibly disclosed the vulnerability to Google on October 23, 2025. After confirming the findings, Google implemented a security fix that was rolled out in January 2026, closing the vulnerability in the Gemini side panel environment.
Security experts say the issue highlights emerging risks tied to AI-powered browser agents, which increasingly integrate deeply with system and browser functions.
Anupam Upadhyaya, Senior Vice President of Product Management at Palo Alto Networks, noted that modern “agentic browsers” can act autonomously—researching, reasoning, and performing tasks on behalf of users. While this brings productivity benefits, such capabilities can also expand the attack surface by giving AI-driven tools access to browser sessions, files, cameras, and microphones.
According to Upadhyaya, prompt manipulation, weak web isolation, and autonomous browser actions may introduce new enterprise security and accountability challenges that organizations have not traditionally faced.
