Robert Lemos, Contributing Writer January 21, 2026 5 Min Read Source: CoreRock via Shutterstock Browser security is far from perfect, but technologists and cybersecurity researchers have built a security model that, for the most part, works. However, artificial intelligence (AI) agents could be manipulated to wipe out that progress. Agentic browsers suffer from a key security weakness — inadequate isolation — according to research published last week by Trail of Bits, a cybersecurity research consultancy. The current crop of agentic browsers treat the agent as a proxy for the user, allowing it to cross different tabs and even the local system, as if the agent were an authorized, known user. Using reflected cross-site scripting, an attacker could modify the context for an AI agent, essentially changing what it believes. Using data exfiltration, the attacker could convince the AI agent to take local information and send it to an attacker-controlled server. These attacks have been eliminated — or at least made far more difficult — on current browsers, but agentic browsers reset that security progress, says Keith Hoodlet, engineering director of application security and AI/ML at Trail of Bits. "The same origin policy would prevent you from reading data from other sites that are currently open in your browser, but here we are — now 2026 — and adding AI back into the mix is undoing a lot of those protections," he says. "Now you have an application that can perform actions like a human. It gets logged as if those actions are taking place like a human in some respects, and it opens the world to new challenges." Overall, the security of vanilla browsers has become better . Secure browser technology has strengthened the protections even more for enterprises, especially as the coronavirus pandemic forced companies to quickly expand their remote workforce . However, as agentic browsers began appearing last year, cybersecurity firms quickly found that they lacked the protection of their nonagentic siblings . Prompt injection attacks burying commands for the AI agent in Web pages, documents, or emails have become the basis for the vast majority of attacks targeting browsers. Blurring the Line Between Data and Code In one example of an attack, a multifactor authentication token sent through email could be exfiltrated and sent to an attacker to complete an account takeover by using a prompt injection attack, according to the Trail of Bits' research . The research used gists — GitHub's method for sharing information and code — to inject additional instructions into prompts, suborning control of the AI agent and convincing it to take actions on behalf of the attacker. Among the most serious attacks are data exfiltration attacks that can grab data from websites the user is logged into, similar to a cross-site resource forgery attack. "The data exfiltration, at the end of the day, is the thing that a lot of people aren't going to understand is happening under the hood, and it's likely to lead to the worst possible outcomes," Trail of Bits' Hoodlet says. "That is likely to lead to a whole host of downstream impacts against users at scale." Because agentic browsers lack strict boundaries of isolation, a prompt injection attack can access local files and logged-in services. Source: Trail of Bits Other companies have found similar flaws. In November, browser security firm SquareX discovered a critical vulnerability in Perplexity's Comet browser that allowed an embedded model-context protocol server to access local data and files. And in a test of agentic browsers using 20 common abuse scenarios, researchers at hCaptcha, a privacy-focused bot-detection service, found that nearly all the agents attempted the malicious requests. The hCaptcha researchers were able to conduct unauthorized account manipulation, hijack sessions, and exfiltrate data, many times with minimal or no jailbreaking. The agents often failed because of the lack of tools to do what the user requested, rather than because of anti-malware defenses. Some even attempted malicious activities with an explicit request, such as SQL injection and JavaScript injection, the company said in an October analysis . Agentic browsers manufacturers have so far failed to put even basic safeguards in place, says Shawn Wolffarth, general manager for enterprise at hCaptcha, part of Intuition Machines. "They are well aware of what to do," he says. "We have made detailed suggestions to some of them but have seen no real changes. They seem to think spending development time on safety will slow them down and perhaps let competitors win in this new market." Another major issue is that attackers have a better chance to exploit vulnerabilities if they target agentic browsers because most browsers use older versions of the Chromium open source browser code, Hoodlet says. That means attackers don't need to find zero-day vulnerabilities to exploit, but they can have good success with n-day exploits. An Unsolvable Problem? AI companies have their work cut out for them. Because agentic browsers use a nonhuman agent and communicate using native language for both data and commands, finding ways to isolate different functions and establishing guardrails may never lead to perfect security, Hoodlet says. "I think that prompt injections are going to exist perpetually given the way that large language models operate, the way that they're built, and the way that they work," he says. "[Companies should] start from a place where you understand that a prompt injection is always going to be a risk, [and] you have to design for that risk." For companies that intend to use agentic browsers, take care. Organizations need to put protections around any agentic browsers, basically treating them like any tool that executes untrusted code from the Internet, Wolffarth says . "Agentic browsers need to be carefully sandboxed and limited in scope," he says. "If they have access to sensitive company data, they should not also be able to reach arbitrary sites on the Internet." In its research, hCaptcha also noted that the tools likely expose their creators to liability because every request is routed through their servers, which have no capabilities for detecting malicious requests, sensitive data that AI agents should not be handling, or actions that break security. "Until these basic controls are implemented and validated, these agents should not be trusted with real user sessions, and will likely do more harm than good in the world," the company stated in its analysis. About the Author Robert Lemos, Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos, Contributing Writer