TTP Advisory: Opera GX Browser Flaw | No CVE | Severity: Critical (P1, $5,000 bug bounty) | Vendor: Opera | Product: Opera GX Browser | Fixed in: v130.0.5847.89
What Is the Vulnerability
A critical flaw in Opera GX, the gaming-focused version of the Opera browser, allowed malicious websites to silently install a browser add-on (GX Mod) without any user approval or click. The installed mod could then extract specific data from pages the victim visits. Researchers demonstrated a proof-of-concept that reconstructed a signed-in user’s full Gmail address from a single page visit with zero user interaction required. The flaw exists in how Opera GX’s mod pipeline handles installation: mods are automatically downloaded and enabled without any approval prompt. A malicious page can trigger installation by loading a hidden iframe pointed at a .crx file.
Versions Affected
- Opera GX — all versions prior to 130.0.5847.89
Opera GX is a gaming-focused browser with millions of users globally, popular among the gaming and streaming communities.
Exploited?
No confirmed exploitation in the wild. Opera stated it found no evidence the flaw was ever used in attacks. However, the zero-click, no-approval nature of the exploit makes it exceptionally dangerous — it requires no user interaction beyond visiting a malicious page.
Fix
Opera released a fix in Opera GX version 130.0.5847.89. Users on current builds are protected.
- Primary fix: Update to Opera GX 130.0.5847.89 or later. Check your version at opera://about.
- No workaround: Because the attack needed no clicks or approvals, there was no workaround short of patching.
Recommendations
- Update immediately: Ensure Opera GX is updated to version 130.0.5847.89.
- Verify version: Navigate to opera://about in Opera GX to confirm your build.
- Consider browser security posture: This vulnerability highlights the risk of browser features that bypass standard installation approval flows.
References
- The Hacker News: Opera GX Flaw
- Opera GX changelog (v130.0.5847.89)
Part of the Vulnerability Intelligence series on threat-modeling.com. July 6, 2026 Report.
