TL;DR
- Vulnerability: CVE-2026-0628 (CVSS 8.8) allowed rogue Chrome extensions with basic permissions to hijack the Gemini panel’s camera, microphone, and file access.
- Root Cause: Chrome engineers failed to include the chrome://glic WebView in the blocklist that prevents extensions from intercepting privileged browser components.
- Patch: Google fixed the vulnerability in Chrome 143.0.7499.192 in January 2026, after Palo Alto Networks researcher Gal Weizman reported it in November 2025.
- Broader Risk: Each new privileged AI component added to Chrome expands the attack surface available to malicious extensions, a danger Glic Jack makes concrete.
Chrome’s Gemini panel requires camera and microphone access to function as an AI assistant. That same elevated access, researchers found, could be claimed by any rogue extension, including one with only the low-level permissions an ad blocker uses. CVE-2026-0628 on NIST NVD describes the flaw as “insufficient policy enforcement in the WebView tag,” enabling script injection into a privileged page. The issue carries a CVSS score of 8.8 and was dubbed “Glic Jack” (shorthand for Gemini Live in Chrome hijack) by the Palo Alto Networks Unit 42 researcher who identified it. Google patched the vulnerability in January 2026.
What Attackers Could Do
The Gemini panel’s privileged position inside Chrome is what made the vulnerability so consequential. Gemini Live is built into Chrome with the ability to grab screenshots, read local files, and activate a device’s camera or microphone. A rogue extension exploiting Glic Jack could leverage those same capabilities without user knowledge or consent, accessing the victim’s camera and microphone, capturing screenshots of any open website, and reading locally stored files on the device.
Furthermore, attackers could inject JavaScript into a more trusted browser context, intercepting and tampering with traffic flowing to and from the Gemini panel. Instructions injected through the flaw could persist across sessions, converting a temporary compromise into a durable foothold on the victim’s machine.
Despite controlling only the basic permission set typical of an ad blocker, an extension was sufficient to trigger the vulnerability. The asymmetry – where minimal extension privileges could reach the highest-privilege component of the browser – is precisely what researchers found alarming. That threat profile far exceeds what Chrome’s extension permission model was designed to contain.
How the Attack Worked
That asymmetry had a specific technical origin rooted in Chrome’s architecture. Chrome uses the chrome://glic internal panel URL to load its Gemini side panel, which embeds the Gemini web app from gemini.google.com inside a WebView component. That WebView is a privileged container that Chrome equips with expanded system capabilities, including camera, microphone, and file access.
Moreover, the attack path ran through the declarativeNetRequest API, a Chrome extension interface that allows extensions to intercept and modify HTTPS web requests. It is the same API used by content blockers and is included in a basic, low-level permission set that Chrome users approve routinely. Yet the API was not designed to reach into privileged browser-internal components – an assumption Glic Jack exposed as unenforceable.
Security researcher Gal Weizman of Palo Alto Networks Unit 42 explained how those two facts combined into a serious flaw:
“An extension with access to a basic permission set through the declarativeNetRequest API allowed permissions that could have enabled an attacker to inject JavaScript code into the new Gemini panel. When the Gemini app is loaded within this new panel component, Chrome hooks it with access to powerful capabilities.”
Gal Weizman, Security Researcher at Palo Alto Networks Unit 42 (via Palo Alto Networks)
As a result, an extension using declarativeNetRequest to intercept requests directed at the Gemini WebView could inject arbitrary JavaScript into that privileged execution context, effectively piggybacking on Chrome’s own hooks to the panel’s elevated system access. From there, the extension could reach capabilities – including camera, microphone, and local files – that its declared permissions would not have allowed under normal circumstances.
The Engineering Omission
The root cause traced back to a single oversight in Chromium’s implementation. Weizman explained that Chromium’s own post-mortem identified the problem as WebView components having been overlooked when engineers applied rejection logic to declarativeNetRequest rules. The policy meant to block extensions from intercepting requests to privileged WebViews was not applied to chrome://glic, because the WebView was not included in the list of contexts to protect.
The NVD entry for the CVE-2026-0628 vulnerability record describes “insufficient policy enforcement in the WebView tag in Google Chrome.” An attacker who convinced a user to install a malicious extension could inject scripts or HTML into a privileged page via a crafted Chrome extension.
In this respect, the Glic Jack case stands as a cautionary precedent for how AI features enter browsers. The flaw was not an exotic exploit; it was a missing entry on a blocklist. With each new privileged AI component added to Chrome, the same class of omission is possible unless engineers explicitly enumerate each new context as a protected target. WinBuzzer previously examined this concern when covering AI security and Chrome data privacy.
Finding the Flaw
That missing entry went undetected for less than two months before a researcher found it. Google added Gemini integration to Chrome in September 2025, giving the browser an AI side panel with system-level capabilities that far outpace anything conventional extensions are permitted to do.
Within two months, Gal Weizman of Palo Alto Networks’ Unit 42 had identified the architectural gap that allowed a rogue extension to exploit those capabilities without restriction. He reported the flaw to Google on November 23, 2025.
Google issued the fix in early January 2026. The vulnerability is resolved in Chrome version 143.0.7499.192 or later on Windows and Mac. Users who have not updated since December 2025 or earlier should treat the update as urgent.
The two-month gap between feature launch and the identification of a key privilege escalation flaw indicates that the current security review cadence for AI browser components does not match the pace of their deployment. Each new agentic capability Chrome ships creates a fresh attack surface, and Glic Jack suggests that surface is being probed faster than it is being audited.
However, the coordinated reporting process worked: Weizman’s November 2025 disclosure produced a January 2026 patch, containing the exposure before public exploitation was documented. Google had patched a high-severity Chrome vulnerability in November 2025, part of a pattern of urgent security responses as Chrome expands its AI footprint.
A Warning for Agentic Browsers
Beyond this specific patch, the underlying architectural risk remains unresolved. Glic Jack is not, in isolation, a case of an unusual coding error. It is a case of architectural consequence: integrating AI features with core browser software can quietly reshape the browser’s threat model in ways that go beyond any single flaw. As Palo Alto Networks’ Unit 42 researchers found, deeply integrating agentic capabilities creates risks that outlast individual patches.
“By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses. This could include vulnerabilities related to cross-site scripting (XSS), privilege escalation, and side-channel attacks that can be exploited by less-privileged websites or browser extensions.”
Gal Weizman, Security Researcher at Palo Alto Networks Unit 42 (via Palo Alto Networks)
Building on this, as browsers integrate more agentic AI features – panels that can read files, control device hardware, and take actions on the user’s behalf – the gap between what an extension is permitted to do and what it can accomplish through an architectural flaw grows wider. Glic Jack illustrates what happens when a browser component inherits system-level trust without commensurate isolation from the extension layer.
Prior Coverage and Context
The extension security risk at the center of this story has a longer history than Chrome’s AI integration. We previously reported the persistent threat posed by malicious Chrome extensions distributed through the Chrome Web Store, a supply-chain exposure that becomes more severe when extensions can reach into privileged browser components.
Meanwhile, the NIST National Vulnerability Database catalogued CVE-2026-0628 as insufficient policy enforcement in Chrome’s WebView tag, noting that an attacker who persuaded a user to install a malicious extension could use it to inject scripts or HTML into a privileged page. The fix is available now; the risk was real and active until it was applied.
