Chrome Bug Lets Malicious Extensions Access Mic, Camera, And Files Through Gemini’s Permissions

by Justin Erickson

Researchers disclosed a high-severity Chrome vulnerability, CVE-2026-0628, that allowed malicious browser extensions to inject code into Chrome’s Gemini Live browser panel and gain access to its privileges. Palo Alto Networks Unit 42 has said “We found that an extension with access to a basic permission set through the declarativeNetRequests API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel.” Malwarebytes expands on this – it allows an attacker to “start [the] camera and microphone without new consent prompts, enumerate local files and directories, take screenshots of any HTTPS site, and even turn the Gemini panel itself into a phishing UI.” Even though the flaw was patched in a January update, this finding adds to the rising concerns around the security and trustworthiness of AI assistants. The best way to keep yourself safe from attacks like this is to:

1. Don’t give AI access to your sensitive information (or delete it if you have)
2. Uninstall the AI model completely
3. “Install as few [Chrome] extensions as possible, from vendors you can identify and contact. Prefer open‑sourced or well‑audited extensions for anything that touches sensitive workflows…”
4. “…Be suspicious of sudden [extension] permission changes or unexplained new capabilities after updates.”