Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
AnalysisAI
Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.
Technical ContextAI
The flaw resides in the CoworkVMService Windows service shipped with Claude Desktop, which executes under the NT AUTHORITY\SYSTEM security principal. CWE-59 (Link Following) applies: the service performs privileged file creation inside a directory whose path is writable by non-privileged users, without verifying via reparse-point checks (e.g., FILE_FLAG_OPEN_REPARSE_POINT or GetFileAttributes flags) that the target is a regular directory rather than an NTFS directory junction. NTFS junctions are a well-known Windows EoP primitive because any user can create them in directories they control, and privileged processes that follow them inherit the attacker's redirection. CPE coverage identifies anthropic:claude_desktop as the sole affected product family.
RemediationAI
Vendor-released patch: upgrade Claude Desktop for Windows to version 1.3834.0 or later, which adds reparse-point validation in CoworkVMService before file creation, per the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3. If immediate patching is not possible, compensating controls include stopping and disabling the CoworkVMService Windows service (this will break the multi-session VM bundle feature in Claude Desktop and prevent normal use of side-by-side sessions), or restricting the ACL on the VM bundle directory to deny non-elevated users the ability to delete or modify the directory itself (note: the default location is user-writable by design, so tightening permissions may break the application's ability to recreate the bundle). Monitoring for unexpected creation of directory junctions in user-writable paths followed by SYSTEM-owned file writes can serve as a detection control until patching completes.
More in Claude Desktop
View allSame weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30049