Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

Published:

26 maart 2026 om 13:11:00

Alert date:

26 maart 2026 om 14:01:15

Source:

thehackernews.com

Web Technologies, Zero-Day Vulnerabilities

Cybersecurity researchers discovered a vulnerability in Anthropic's Claude Google Chrome Extension that enabled zero-click XSS prompt injection attacks. The flaw allowed any website to silently inject malicious prompts into the Claude assistant without user interaction, making it appear as if the user wrote them. This represents a significant security risk as attackers could manipulate the AI assistant through malicious web pages without requiring any user clicks or explicit consent.

Technical details

The vulnerability chains two flaws: 1) An overly permissive origin allowlist in the Claude extension that allowed any subdomain matching *.claude.ai to send prompts to Claude, and 2) A DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai. The attack works by embedding the vulnerable Arkose component in a hidden iframe, sending XSS payload via postMessage, and having the injected script fire prompts to the extension. This allows zero-click prompt injection where attackers can control the browser just by visiting a page.

Mitigation steps:

Anthropic deployed a patch to the Chrome extension that enforces strict origin check requiring exact match to claude.ai domain. Arkose Labs fixed the XSS flaw as of February 19, 2026. Users should ensure their Claude extension is updated to the latest version.

Affected products:

Anthropic Claude Google Chrome Extension
Arkose Labs CAPTCHA component