Description
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
Published: 2026-03-31
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The installer for Anthropic Claude Desktop for Windows loads DLL files from its own directory after user‑account‑control elevation. Because the search path is not constrained, a malicious DLL with the same name as a legitimate file – for example profapi.dll – can be placed beside the installer and will be loaded during installation. This allows an attacker who can run the installer on the target machine to execute arbitrary code with elevated privileges.

Affected Systems

Users who have installed Anthropic Claude Desktop for Windows with any installer version earlier than 1.1.3363 are affected. The vulnerability exploits the Windows DLL search‑order mechanism, so it applies to any Windows environment capable of running the installer and contains that directory structure.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity. The EPSS score of less than 1 % suggests that exploitation is not common in the wild, and the vulnerability is not listed in the CISA KEV catalog. An attacker must have local access, the ability to run the installer, and write permission to the installer’s directory to place a rogue DLL. Given these prerequisites, the risk is moderate but manageable by applying the vendor‑recommended fix.

Generated by OpenCVE AI on April 7, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Anthropic Claude Desktop version 1.1.3363 or newer, which removes the DLL search‑order vulnerability.
  • Before updating, check the installer’s directory for any unexpected or malicious DLLs and remove or rename them.
  • Limit write access to the directory containing the installer to prevent unauthorized DLL placement.

Generated by OpenCVE AI on April 7, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title DLL Search‑Order Hijacking in Anthropic Claude for Windows Installer

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title DLL Search-Order Hijacking in Anthropic Claude Windows Installer Enables Local Privilege Escalation
Weaknesses CWE-779

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic claude
Microsoft
Microsoft windows
Weaknesses CWE-427
CPEs cpe:2.3:a:anthropic:claude:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Anthropic claude
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title DLL Search-Order Hijacking in Anthropic Claude Windows Installer Enables Local Privilege Escalation
First Time appeared Anthropic
Anthropic claude Desktop
Weaknesses CWE-779
Vendors & Products Anthropic
Anthropic claude Desktop

Tue, 31 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
References
Metrics cvssV4_0

{'score': 4.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Anthropic Claude Claude Desktop
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T18:13:52.328Z

Reserved: 2026-01-07T15:39:03.440Z

Link: CVE-2026-22561

cve-icon Vulnrichment

Updated: 2026-03-31T16:31:29.129Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:28.850

Modified: 2026-04-06T16:58:22.433

Link: CVE-2026-22561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:18Z

Weaknesses