Bug in Google's Gemini AI Panel Opens Door to Hijacking
Dark Reading
by Elizabeth MontalbanoMarch 2, 2026
AI-Generated Deep Dive Summary
A critical vulnerability in Google's Gemini AI panel within the Chrome browser has been addressed, highlighting significant security risks tied to the integration of AI into web browsers. The flaw, tracked as CVE-2026-0628, allowed malicious extensions with basic permissions to escalate privileges and access sensitive resources like the camera, microphone, local files, and system directories. This could enable unauthorized actions such as taking screenshots or intercepting user data.
The vulnerability stemmed from a failure in maintaining security boundaries within the "declarativeNetRequests" API, which is designed for legitimate purposes but was exploited due to the privileged nature of the Gemini side panel. This panel grants elevated capabilities, including access to system resources, making it a potential target for attackers. Researchers demonstrated how an ordinary extension could hijack the panel and perform malicious activities.
The incident underscores the growing security risks associated with AI-integrated browsers. As agentic AI features become more prevalent, they introduce new attack vectors that traditional browsers do not face. This proactive nature of AI creates a broader attack surface, amplifying risks for both individual users and organizations. While Google has patched the flaw, the discovery serves as a cautionary tale about the importance of securing advanced browser technologies.
For readers interested in security, this highlights the need to stay vigilant with browser extensions and AI-driven features. The case also emphasizes the critical role of ongoing security research and patching in mitigating emerging threats tied to cutting-edge technologies like Gemini AI.
Verticals
securitytech
Originally published on Dark Reading on 3/2/2026