Perplexity AI Browser Flaw Could Let Calendar Invites Access Local Files
A security flaw in Perplexity’s AI-powered Comet browser could have allowed attackers to access files on a user’s computer using something as routine as a calendar invitation.
Researchers say the issue shows how AI browser agents can accidentally follow malicious instructions that are hidden within everyday content. While Perplexity has since patched the vulnerability, the incident highlights a bigger security challenge as agentic browsers gain traction.
These AI tools can read data, follow instructions, and act on behalf of users, but security experts warn they may introduce new attack paths if guardrails are not carefully designed.
Researchers warn of risks tied to AI browser agents
Security researchers from Zenity Labs disclosed the vulnerability as part of a wider set of issues they call PleaseFix, which affects agentic browsers, including Perplexity’s Comet.
As reported by Business Wire on Yahoo Finance, these AI-powered browsers work differently from traditional ones.
“Unlike traditional browsers that primarily display content, agentic systems interpret instructions, retain authenticated context, and autonomously execute actions across applications and services,” according to Business Wire.
This wider range of capabilities also brings new security risks. Since the AI agent can read content, follow instructions, and act while staying logged in, harmful prompts hidden in everyday life can potentially trigger actions without the user’s knowledge.
The Register noted that attackers could exploit the vulnerability by hiding harmful content within everyday tasks, such as calendar invitations. The publication said that Comet’s AI agent could access the file:// protocol, allowing it to retrieve files stored on the user’s local device.
“Perplexity didn’t put a restriction on the AI agent reaching out to anything on the file system,” Zenity CTO Michael Bargury told The Register.
Calendar invitations used as the attack vector
Researchers explained that attackers could exploit the vulnerability by leveraging everyday workflow content, such as calendar invitations.
According to TechRadar, in one scenario, a malicious calendar entry contained a prompt instructing the AI tool to “scour through the victim’s files, look for documents named ‘passwords’ or similar, and exfiltrate whatever information is found.” The attack could run in the background while the user still receives the expected AI-generated summary.
Researchers also showed how attackers could manipulate the AI agent’s workflows to interact with browser extensions such as password managers. The AI operates within an authenticated session, meaning it could potentially access credentials stored in tools like 1Password without exploiting a flaw in the password manager itself.
Bargury also told Business Wire that the vulnerabilities allow attackers to hijack an AI agent’s capabilities and inherit whatever access the user has granted the browser. “This is an agent trust failure that exposes data, credentials, and workflows in ways existing security controls were never designed to see,” Bargury mentioned.
Patch released after disclosure
The Register noted that Zenity reported the vulnerability to Perplexity last October, and the company released an initial patch in January 2026. However, researchers later found they could bypass the fix using a modified file path technique.
A second patch released in February restricted the browser’s ability to access the local file system through the file:// protocol, closing the attack path demonstrated by the researchers.
Security experts believe the incident highlights the complexity of securing AI-powered tools that automatically process large amounts of external content and perform tasks on behalf of users.
If malicious instructions are embedded in that content, AI agents may interpret them as legitimate commands and carry them out using the permissions already granted to the user.
Read TechRepublic’s guide on how to choose a business-ready password manager by evaluating security, admin controls, scalability, and identity system integrations.
About Author
