Palo Alto Networks Unit 42 Uncovers Vulnerability in Google Chrome’s Gemini AI Panel

• 11 Mar 2026
• TM Team
• 0 Comments

Unit 42 has identified and responsibly disclosed a high-severity vulnerability affecting “Gemini Live in Chrome,” Google Chrome’s AI-powered side panel.

At a high level, the issue involved a privilege escalation or “privilege jump.” Chrome extensions typically operate within defined permission boundaries. However, Unit 42 found that a malicious extension could manipulate how the Gemini web app was loaded inside Chrome’s AI side panel — a browser environment that operates with higher privileges than a standard web tab.

Because the Gemini panel is treated as a trusted browser surface, influencing what loads inside it could allow an extension-controlled payload to execute in a more powerful context than the extension itself was granted.

How it worked: Privilege Escalation via AI Side Panels?

The vulnerability allowed a malicious browser extension — even one with basic host permissions — to interfere with the Gemini Live side panel. Researchers found the extension could leverage Chrome’s request-modification capabilities to intercept and alter resources associated with the Gemini web application. This issue applied only when Gemini was accessed through the side panel, not a regular browser tab.

When loaded in the side panel, Gemini runs within a more privileged browser process, tightly integrated with browser features and granted enhanced capabilities that ordinary web pages do not have.

Due to how requests and content embedding were implemented, an extension permitted to interact with the Gemini domain could intercept and modify JavaScript resources before they were rendered in the panel. In effect, attacker-controlled code could be injected into content executing inside the panel’s higher-trust environment.

The extension itself did not gain new permissions. Instead, it manipulated the content pipeline feeding a privileged component. Because that component already had elevated capabilities, the injected code effectively “rode along” into a more powerful execution context — creating the privilege jump.

A successful exploit of could have enabled an attacker to:

· Access local files and directories

· Capture screenshots of browsing sessions

· Activate camera and microphone capabilities without appropriate awareness

· Execute phishing attacks within the trusted Gemini interface

The attack required no additional user interaction beyond installing a malicious extension and opening the Gemini panel.

Anupam Upadhyaya, SVP, Product Management, Prisma SASE, Palo Alto Networks, said, “Today’s agentic browsers can act on your behalf — researching, reasoning and taking action without direct user input. While this can deliver meaningful productivity gains, in the absence of enterprise-grade controls these tools can take autonomous actions beyond IT oversight. By inheriting a user’s browser session and accessing screens, files, cameras and microphones, agentic browsers can expand the attack surface through prompt manipulation and weakened web isolation, creating security and accountability gaps enterprises haven’t faced before.

The research highlights a broader architectural lesson: as AI becomes embedded into core browser components, strict isolation between extension-controlled content and privileged AI surfaces is essential to preserving the browser’s security model.