Impact
Anthropic’s Claude Desktop Cowork VM image handling relies on a missing integrity check (CWE-353), validating only the presence of the rootfs.img file and a version marker before booting, but it does not verify the content integrity of that image when the VM starts. A local attacker possessing unprivileged code execution on the host macOS user can modify the VM’s root filesystem image. When the VM subsequently boots, the altered image is trusted, enabling the attacker to run arbitrary code persistently inside the VM and to read or modify files exposed through host‑mounted directories.
Affected Systems
All released versions of Anthropic’s Claude Desktop Cowork from v1.1348.0 through v1.2278.0—including the specific releases v1.1348.0, v1.1617.0, and v1.2278.0—are affected by this flaw.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity. Because the exploit requires local access to the host filesystem and only unprivileged code execution, the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalogue. Attackers must be able to write to or otherwise tamper with the VM root image on a macOS system; when they succeed they achieve persistent code execution within the VM and gain access to any directories mounted from the host.
OpenCVE Enrichment