Skip to main content

Claude Desktop Cowork EUVDEUVD-2026-38639

| CVE-2026-7574 HIGH
Missing Support for Integrity Check (CWE-353)
2026-06-23 AHA GHSA-g2fx-c284-xq7h
8.7
CVSS 3.1 · Vendor: AHA
Share

Severity by source

Vendor (AHA) PRIMARY
8.7 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
8.7 HIGH

Local vector and low privileges as the user; integrity check bypass crosses the VM trust boundary (S:C) yielding high C/I and low A inside the VM.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (AHA).

CVSS VectorVendor: AHA

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 00:26 vuln.today
CVE Published
Jun 23, 2026 - 23:54 cve.org
HIGH 8.7

DescriptionCVE.org

Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim macOS user can modify the VM root filesystem image and have it trusted on subsequent Cowork VM boots, enabling persistent arbitrary code execution in the VM and access to host-mounted directories. The estimated CWE mapping is CWE-353 (Missing Support for Integrity Check).

AnalysisAI

Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain user-level code execution on macOS host
Delivery
Locate Cowork rootfs.img in user profile
Exploit
Modify image preserving version marker string
Execution
Wait for victim to boot Cowork VM
Persist
Tampered rootfs mounted and executed
Impact
Persist in VM and access host-mounted directories

Vulnerability AssessmentAI

Exploitation Requires the attacker to already be running unprivileged code as the victim macOS user account that owns the Claude Desktop Cowork installation, with filesystem write access to the rootfs.img backing the Cowork VM. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L produces an 8.7 score driven mainly by the scope change (S:C) - exploitation inside the user's context lets the attacker pivot into the Cowork VM trust boundary and reach host-mounted directories, which is genuinely a cross-boundary impact rather than just same-user code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained unprivileged code execution as the victim macOS user - for example via a malicious npm dependency, a phishing-delivered binary, or a compromised local dev tool - locates the Cowork rootfs.img in the user's profile, writes a modified image that preserves the expected version marker string but contains attacker-controlled init scripts, and waits. On the next Cowork VM boot the launcher's presence-and-marker check passes and the tampered image is mounted as root, giving the attacker persistent code execution inside the VM and read/write access to whichever host directories the user has mounted in. …
Remediation No vendor-released patch identified at time of analysis, so administrators should monitor Anthropic's Claude Desktop release notes and upgrade to any post-v1.2278.0 build that adds cryptographic verification of rootfs.img before booting the Cowork VM. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Claude Desktop Cowork; verify installed versions and document exposure; disable Cowork features if not mission-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy