CVE-2026-0628: When Your AI Assistant Becomes a Spy

On January 5, 2026, Google quietly shipped a patch for a high-severity vulnerability in Chrome that most users never heard about. Tracked as CVE-2026-0628 and codenamed Glic Jack, it had been sitting in Google Chrome’s Gemini Live integration since September 2025 — when Google first embedded Gemini directly into the browser as an agentic side panel capable of reading your files, controlling your camera, and listening through your microphone.

Researchers at Palo Alto Networks Unit 42 discovered the flaw in October 2025 and disclosed it responsibly. Google confirmed and patched it before public disclosure. The hole has been closed. But Glic Jack is one of the most instructive security incidents of 2026 — not because of what it did, but because of what it reveals about the entire class of risk that AI integration into trusted software creates.

What the Vulnerability Actually Was

Chrome’s Gemini Live panel runs as a privileged side panel, not as an ordinary browser tab. That distinction matters enormously. When gemini.google.com/app loads in a regular tab, browser extensions can intercept and inject JavaScript into it — but that injection inherits only standard tab-level permissions. When the same URL loads inside the Gemini browser panel, Chrome hooks it with elevated, browser-level capabilities: the ability to read local files, take screenshots, access the camera, and activate the microphone. These are the capabilities Gemini needs to function as an agentic assistant. They are also exactly the capabilities an attacker would want.

The vulnerability was a missing entry on a blocklist. Chrome’s declarativeNetRequest rules — the mechanism that governs how extensions can intercept browser traffic — explicitly excluded certain privileged browser components from being tampered with by extensions. The Gemini Live panel’s WebView component, introduced with the chrome://glic URL in September 2025, was never added to that blocklist. The engineers who shipped the Gemini integration forgot to protect the new component they had just created.

The practical consequence: a malicious extension using only basic declarativeNetRequest permissions — permissions that look completely innocuous in Chrome’s permission model — could inject arbitrary JavaScript into the Gemini panel and inherit all of its elevated access. Once inside, the extension could take photos through the webcam, record audio through the microphone, read the contents of local files and directories, capture screenshots of any open website, and render convincing phishing overlays inside what appeared to users to be a trusted, browser-native interface.

The attack was named “Glic Jack” — short for Gemini Live in Chrome hijack — by the Unit 42 researchers who discovered it. Google confirmed the issue and released a patch on January 5, 2026, prior to public disclosure.

The Extension Threat Surface Is Larger Than You Think

Extension-based attacks have historically been considered relatively low-severity. The prerequisite — convincing a user to install a malicious extension — was seen as a significant barrier. Glic Jack demonstrates why that calculus has fundamentally changed.

The number of malicious extensions deployed to browser web stores has grown significantly in recent years. Many are removed quickly, but not before reaching thousands of users. Additionally, legitimate extensions have been hijacked or sold to threat actors who pushed malicious updates to already-installed endpoints, turning trusted tools into silent weapons.

The extensions most likely to be hijacked are productivity tools with large install bases — tools that users trust because they have trusted them for years. When one of those extensions is sold to a threat actor or has a malicious update pushed through its update mechanism, it silently becomes a weapon installed on the machines of everyone who already trusts it. No new social engineering required.

Before Glic Jack, a hijacked extension operating in that scenario had access to standard tab-level browser capabilities. After Gemini’s integration, the same hijacked extension — if it exploited the Glic Jack vulnerability before the patch — had access to the camera, microphone, local file system, and a trusted UI surface for phishing. The AI integration transformed the blast radius of every existing malicious extension.

Within an enterprise, a malicious extension gaining access to the camera, microphone and local files of workers is a real danger to the organization. That sentence understates it. For organizations where developers, executives, or finance teams have access to sensitive systems, the combination of persistent camera/microphone access and local file reading via a trusted browser component is not just a privacy risk. It is a corporate espionage infrastructure.

The Deeper Pattern: AI Integration Keeps Creating New Attack Surfaces

The specific Glic Jack vulnerability has been patched. Chrome 143.0.7499.192 is not vulnerable. But the architectural dynamic that created it has not been resolved — and cannot be resolved with a single patch.

Each new privileged AI component added to Chrome expands the attack surface available to malicious extensions, a danger Glic Jack makes concrete. As Palo Alto Networks’ Unit 42 researchers found, deeply integrating agentic capabilities creates risks that outlast individual patches. “By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses.”

Google added Gemini to Chrome in September 2025. The missing blocklist entry existed for less than two months before a researcher found it. As one Palo Alto Networks researcher put it: “the more power you give software in the name of convenience, the more careful you have to be about who else might get their hands on it.”

Microsoft’s Copilot in Edge, and a growing category of standalone agentic browsers, all operate on the same architectural principle: a deeply integrated AI assistant with privileged access to browser and system capabilities, extending the same elevated attack surface that Glic Jack exploited. The specific CVE is Chrome-specific. The class of risk is industry-wide.

What This Means for Your Organization

For security teams evaluating AI-integrated browser deployments, Glic Jack provides a clear lesson about where the risk lives. It is not primarily in the AI model’s behavior — it is in the privileged infrastructure that the AI runs on, and in the attack surfaces that infrastructure creates for other components (extensions, in this case) that share the same environment.

The mitigation advice from the Unit 42 researchers is straightforward: update browsers immediately, audit installed extensions aggressively, and treat AI-integrated browser features as high-risk infrastructure requiring the same security scrutiny as any other privileged software. Be suspicious of sudden permission changes or unexplained new capabilities after updates. Monitor for anomalies like cameras activating unexpectedly, unexplained screenshots, or Gemini-related processes touching unusual file paths.

For organizations building their own AI-integrated products — any application that embeds an AI assistant with access to local resources, privileged APIs, or user credentials — Glic Jack is a direct warning. The security properties of AI integrations need to be evaluated specifically, not inferred from the security properties of the underlying model. Apta Sentry’s code scanning and runtime monitoring capabilities are built for exactly this layer: static analysis of AI integration code paths to identify privilege escalation vectors before deployment, and behavioral monitoring at runtime to detect when an AI component is being directed to do something it was not designed to do.

The patch is out. The lesson is not.

References:

• CVE-2026-0628, NIST NVD, published January 2026
• Palo Alto Networks Unit 42, Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel, March 2026
• The Hacker News, New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel, March 2026
• Apta Sentry Code Scanning — /products/code-scanning
• Apta Sentry Runtime Monitoring —/products/runtime-monitoring