Description
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
Published: 2026-05-13
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Claude Desktop's SSH remote development feature, from version 1.2581.0 up to before 1.4304.0, only verifies that a hostname exists in the user’s ~/.ssh/known_hosts file but does not compare the server’s presented host key with the stored key. This omission lets an attacker who can intercept SSH traffic supply a forged host key; the application silently accepts the connection, allowing the attacker to intercept or modify the SSH session communication.

Affected Systems

The vulnerable product is Anthropic’s Claude Desktop (Claude Code) used for remote development. Versions from 1.2581.0 through 1.4303.999 are affected. Any user running these releases with the target hostname already present in their ~/.ssh/known_hosts file is at risk.

Risk and Exploitability

The CVSS score is 7.4, reflecting a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname must already have an entry in the victim’s known_hosts file. Once these conditions are satisfied, the attacker can carry out a man-in-the-middle attack without needing any additional privileges.

Generated by OpenCVE AI on May 13, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Desktop to version 1.4304.0 or later.
  • If an upgrade is not immediately possible, delete or comment out the affected host entries from ~/.ssh/known_hosts to force a host key warning.
  • If the host entries cannot be removed, disable the SSH remote development feature or restrict network access to prevent MITM interception.

Generated by OpenCVE AI on May 13, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Desktop
CPEs cpe:2.3:a:anthropic:claude_desktop:*:*:*:*:*:*:*:*
Vendors & Products Anthropic
Anthropic claude Desktop
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
Title Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions
Weaknesses CWE-297
CWE-322
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Desktop
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:29:10.605Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44467

cve-icon Vulnrichment

Updated: 2026-05-14T18:29:04.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:58.100

Modified: 2026-06-02T14:00:21.310

Link: CVE-2026-44467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:30:02Z

Weaknesses