Description
Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim macOS user can modify the VM root filesystem image and have it trusted on subsequent Cowork VM boots, enabling persistent arbitrary code execution in the VM and access to host-mounted directories. The estimated CWE mapping is CWE-353 (Missing Support for Integrity Check).
Published: 2026-06-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Anthropic’s Claude Desktop Cowork VM image handling relies on a missing integrity check (CWE-353), validating only the presence of the rootfs.img file and a version marker before booting, but it does not verify the content integrity of that image when the VM starts. A local attacker possessing unprivileged code execution on the host macOS user can modify the VM’s root filesystem image. When the VM subsequently boots, the altered image is trusted, enabling the attacker to run arbitrary code persistently inside the VM and to read or modify files exposed through host‑mounted directories.

Affected Systems

All released versions of Anthropic’s Claude Desktop Cowork from v1.1348.0 through v1.2278.0—including the specific releases v1.1348.0, v1.1617.0, and v1.2278.0—are affected by this flaw.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Because the exploit requires local access to the host filesystem and only unprivileged code execution, the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalogue. Attackers must be able to write to or otherwise tamper with the VM root image on a macOS system; when they succeed they achieve persistent code execution within the VM and gain access to any directories mounted from the host.

Generated by OpenCVE AI on June 24, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Anthropic Claude Desktop Cowork to a release that implements integrity verification for the VM rootfs.img before booting
  • Configure the system to reject a modified rootfs.img by checking a cryptographic hash or digital signature before the VM starts
  • Restrict file‑system permissions on the rootfs.img file so that only privileged users can modify or replace it, and mount host directories into the VM with read‑only or appropriately limited permissions

Generated by OpenCVE AI on June 24, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Desktop
Vendors & Products Anthropic
Anthropic claude Desktop

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim macOS user can modify the VM root filesystem image and have it trusted on subsequent Cowork VM boots, enabling persistent arbitrary code execution in the VM and access to host-mounted directories. The estimated CWE mapping is CWE-353 (Missing Support for Integrity Check).
Title Anthropic Claude Desktop Cowork VM Image Contents Not Validated Before Use
Weaknesses CWE-353
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


Subscriptions

Anthropic Claude Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: AHA

Published:

Updated: 2026-06-24T13:04:11.984Z

Reserved: 2026-05-01T02:06:20.230Z

Link: CVE-2026-7574

cve-icon Vulnrichment

Updated: 2026-06-24T13:03:57.504Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-353

    Missing Support for Integrity Check