The Claude Chrome Extension 0-Click Vulnerability lets attackers silently add prompts to websites.

A serious zero-click vulnerability in Anthropic's Claude Chrome Extension put more than 3 million users at risk of silent prompt-injection attacks This article explores zero click vulnerability. . The flaw, which has now been fixed, could have let attackers steal Gmail access tokens, read Google Drive files, export chat history, and send emails without anyone knowing.

The exploit chained has two separate bugs that let it take over the whole browser. The first problem was that the Claude extension itself had an origin allowlist that was too open. The second problem was with a third-party CAPTCHA verification component, while the challenge components were hosted on a first-party subdomain called a-cdn.claude.ai. HackerOne responsibly told Anthropic about the flaw on December 26, 2025.

They confirmed it and prioritized it within 24 hours, and they released a fix on January 15, 2026.

Users should check that their installed version is 1.0.41 or higher by going to chrome://extensions., LinkedIn, and X for daily cybersecurity updates. Follow us on Twitter @CybersecurityX and Facebook for daily updates on cybersecurity. The people at KOI security want to help you stay safe and secure at work and online.

If you need private help, call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/. For privacy. If you need help with suicide issues, call the Samaritans at 08457 90 90 90 or go to a nearby Samaritans branch. For more information, go to www.samaritans.org or click here.

To get help in the U.S., call the national suicide prevention Lifeline at 1-844-457-090 or go to http://www-samaritan.org.

If you need help in the UK, call the Samaritans at 08457 909090 or click here.