Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
AnalysisAI
Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.
Technical ContextAI
Claude Desktop is Anthropic's GUI client that wraps Claude Code and supports SSH-based remote development for running coding sessions against remote hosts. The defect is a classic CWE-297 (Improper Validation of Certificate with Host Mismatch) applied to SSH host key pinning: known_hosts is intended to bind a hostname to a specific public key fingerprint (Trust-On-First-Use), and the SSH client must reject connections when the presented key does not match the pinned entry. Claude Desktop's SSH integration treated the mere presence of a known_hosts entry for the target hostname as sufficient, skipping the cryptographic comparison and effectively disabling the strict host key checking guarantee that OpenSSH and similar tooling normally enforce. The CPE cpe:2.3:a:anthropic:claude_desktop:*:*:*:*:*:*:*:* covers the affected client; the EUVD record lists the underlying claude-code component in the same version window, reflecting that Claude Desktop bundles Claude Code functionality.
RemediationAI
Vendor-released patch: upgrade Claude Desktop to 1.4304.0 or later, which restores proper host key comparison against the known_hosts entry; see the GitHub Security Advisory GHSA-3rwf-2g6p-c2f9 at https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9 for vendor guidance. Until upgraded, avoid initiating Claude Desktop SSH remote development sessions over untrusted networks (public Wi-Fi, conference LANs, shared hotel networks) and prefer tunneling through a trusted VPN or SSH bastion so the first network hop cannot be hijacked by ARP/DNS spoofing - the trade-off is added latency and configuration overhead. As a secondary compensating control, remove or rotate known_hosts entries for sensitive remote development targets so a re-prompt would surface unexpected key changes, accepting that legitimate connections will require manual re-verification. Where feasible, perform SSH from a vetted terminal client (OpenSSH) that enforces StrictHostKeyChecking until the patched Claude Desktop build is deployed.
More in Claude Desktop
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30048