Skip to main content

Claude Desktop CVE-2026-44467

| EUVDEUVD-2026-30048 HIGH
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-05-13 security-advisories@github.com
7.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:30 vuln.today
Patch available
May 13, 2026 - 17:03 EUVD

DescriptionGitHub Advisory

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.

AnalysisAI

Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.

Technical ContextAI

Claude Desktop is Anthropic's GUI client that wraps Claude Code and supports SSH-based remote development for running coding sessions against remote hosts. The defect is a classic CWE-297 (Improper Validation of Certificate with Host Mismatch) applied to SSH host key pinning: known_hosts is intended to bind a hostname to a specific public key fingerprint (Trust-On-First-Use), and the SSH client must reject connections when the presented key does not match the pinned entry. Claude Desktop's SSH integration treated the mere presence of a known_hosts entry for the target hostname as sufficient, skipping the cryptographic comparison and effectively disabling the strict host key checking guarantee that OpenSSH and similar tooling normally enforce. The CPE cpe:2.3:a:anthropic:claude_desktop:*:*:*:*:*:*:*:* covers the affected client; the EUVD record lists the underlying claude-code component in the same version window, reflecting that Claude Desktop bundles Claude Code functionality.

RemediationAI

Vendor-released patch: upgrade Claude Desktop to 1.4304.0 or later, which restores proper host key comparison against the known_hosts entry; see the GitHub Security Advisory GHSA-3rwf-2g6p-c2f9 at https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9 for vendor guidance. Until upgraded, avoid initiating Claude Desktop SSH remote development sessions over untrusted networks (public Wi-Fi, conference LANs, shared hotel networks) and prefer tunneling through a trusted VPN or SSH bastion so the first network hop cannot be hijacked by ARP/DNS spoofing - the trade-off is added latency and configuration overhead. As a secondary compensating control, remove or rotate known_hosts entries for sensitive remote development targets so a re-prompt would surface unexpected key changes, accepting that legitimate connections will require manual re-verification. Where feasible, perform SSH from a vetted terminal client (OpenSSH) that enforces StrictHostKeyChecking until the patched Claude Desktop build is deployed.

Share

CVE-2026-44467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy