Description
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
Published: 2026-03-31
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Local Privilege Escalation via DLL Hijacking
Action: Patch Installer
AI Analysis

Impact

The vulnerability is caused by the Anthropic Claude Desktop Windows installer loading DLLs from the installer’s own directory without sanitizing the search path. A local user can place a malicious DLL in the same folder as Setup.exe after granting UAC elevation. When the installer loads the DLL, the code runs with elevated privileges, enabling arbitrary code execution and full control of the workstation.

Affected Systems

Anthropic Claude Desktop for Windows versions earlier than 1.1.3363 are affected. The issue is confined to the local machine; remote attackers cannot exploit the vulnerability without user interaction or physical access to run the installer.

Risk and Exploitability

The CVSS score of 4.7 reflects moderate severity. No EPSS data or KEV listing is available, indicating a lower exploitation probability. Exploitation requires a local user to run the installer and approve a UAC prompt; thus the attack vector is local privilege escalation via DLL hijacking. While not easily remotely exploitable, the vulnerability remains a risk for environments trusting local users or running unattended installations.

Generated by OpenCVE AI on March 31, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Anthropic Claude Desktop version 1.1.3363 or newer, which fixes the DLL search path issue.
  • If upgrading is not possible, run the installer from a clean, trusted directory and ensure no malicious DLLs are present.
  • Verify the installer’s digital signature before execution.
  • After installation, review the installation directory for unexpected DLL files and delete them if necessary.
  • Consider temporarily disabling or restricting UAC elevation for installers until the vulnerability is patched.

Generated by OpenCVE AI on March 31, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title DLL Search-Order Hijacking in Anthropic Claude Windows Installer Enables Local Privilege Escalation
First Time appeared Anthropic
Anthropic claude Desktop
Weaknesses CWE-779
Vendors & Products Anthropic
Anthropic claude Desktop

Tue, 31 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
References
Metrics cvssV4_0

{'score': 4.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Anthropic Claude Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T18:13:52.328Z

Reserved: 2026-01-07T15:39:03.440Z

Link: CVE-2026-22561

cve-icon Vulnrichment

Updated: 2026-03-31T16:31:29.129Z

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:28.850

Modified: 2026-03-31T16:16:28.850

Link: CVE-2026-22561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:04Z

Weaknesses