Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Local vector and low privileges as the user; integrity check bypass crosses the VM trust boundary (S:C) yielding high C/I and low A inside the VM.
Primary rating from Vendor (AHA).
CVSS VectorVendor: AHA
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim macOS user can modify the VM root filesystem image and have it trusted on subsequent Cowork VM boots, enabling persistent arbitrary code execution in the VM and access to host-mounted directories. The estimated CWE mapping is CWE-353 (Missing Support for Integrity Check).
AnalysisAI
Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to already be running unprivileged code as the victim macOS user account that owns the Claude Desktop Cowork installation, with filesystem write access to the rootfs.img backing the Cowork VM. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L produces an 8.7 score driven mainly by the scope change (S:C) - exploitation inside the user's context lets the attacker pivot into the Cowork VM trust boundary and reach host-mounted directories, which is genuinely a cross-boundary impact rather than just same-user code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained unprivileged code execution as the victim macOS user - for example via a malicious npm dependency, a phishing-delivered binary, or a compromised local dev tool - locates the Cowork rootfs.img in the user's profile, writes a modified image that preserves the expected version marker string but contains attacker-controlled init scripts, and waits. On the next Cowork VM boot the launcher's presence-and-marker check passes and the tampered image is mounted as root, giving the attacker persistent code execution inside the VM and read/write access to whichever host directories the user has mounted in. … |
| Remediation | No vendor-released patch identified at time of analysis, so administrators should monitor Anthropic's Claude Desktop release notes and upgrade to any post-v1.2278.0 build that adds cryptographic verification of rootfs.img before booting the Cowork VM. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Claude Desktop Cowork; verify installed versions and document exposure; disable Cowork features if not mission-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-353 – Missing Support for Integrity Check
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38639
GHSA-g2fx-c284-xq7h