Chrome Gemini Vulnerability CVE-2026-0628: Remote Camera, Microphone Access Without User Interaction

A high-severity flaw in Google Chrome’s Gemini AI assistant allows attackers to access cameras, microphones, and local files remotely. Tracked as CVE-2026-0628, it needs no clicks beyond opening the AI panel. Palo Alto Networks’ Unit 42 found it and reported on October 23, 2025. Google patched it January 5, 2026.

Gemini Live runs as a side panel with top privileges for screen views and tasks. It gets camera, mic, file, and screenshot rights. This setup boosts features but grows risks. The bug used declarativeNetRequest API, common in extensions for request tweaks.

Normal tabs let extensions hook gemini.google.com/app with basic powers. Gemini panel loads the same URL with browser-level rights. Bad extensions inject JS there and steal those powers. No extra permissions needed.

Attackers push malicious extensions via stores or hijacks. Once in, they wait for Gemini clicks. Silent surveillance or data grabs follow. Phishing looks real from the trusted panel.

Google Said: “We addressed CVE-2026-0628 in Chrome’s January 5, 2026 update. All users should update to the latest version for protection.”

Microsoft Edge Note: “Similar AI panels in Edge reviewed; no related issues found.” 

Attack Capabilities

Extension stores see more bad actors lately. Legit ones get sold and turned evil. Enterprises face spy risks on worker devices.

Affected Systems

Chrome on all platforms before January 2026 updates counts. Update now blocks it. Watch extension lists for risks.

Defense Steps

• Update Chrome to latest version.
• Review and remove unknown extensions.
• Block side panel auto-loads in policies.
• Scan for mic/camera use alerts.

FAQ