See Full Article: https://expertinsights.com/news/claude-desktop-extensions-expose-over-10000-users-to-rce-vulnerability
A critical security flaw in Claude Desktop Extensions has exposed over 10,000 users to the risk of zero-click Remote Code Execution (RCE).
The vulnerability allows a single malicious Google Calendar event to execute arbitrary code on an endpoint without user awareness, approval, or interaction.
Claude Desktop Extensions, distributed through Anthropic’s extension ecosystem, enable the Claude assistant to perform tasks that interact directly with the local operating system. Unlike browser extensions, which are restricted by sandboxing and permission controls, these desktop extensions run with full system privileges.
As a result, they can read files, execute commands, access stored credentials, and change operating system settings.
The new vulnerability stems from how Claude autonomously selects and chains Model Context Protocol (MCP) connectors to complete user requests.
When given an imprecise prompt, such as checking calendar events and “taking care of it”, the model may combine data from a low-risk connector such as Google Calendar with a high-risk local executor.
This automated workflow decision creates a trust boundary violation between external data and privileged system-level actions.
Researchers demonstrated that a benign-looking calendar event containing simple instructions, such as downloading and running code, was enough to trigger local execution.
The attack required no confirmation prompts, no explicit automation request, and no advanced prompt manipulation. Due to the impact and ease of exploitation, the issue reportedly received a Common Vulnerability Scoring System (CVSS) rating of 10.0.
“The CVSS 10/10 framing needs context,” clarified Suzu Labs CEO Michael Bell. “The attack requires a specific combination of installed extensions, not just Claude Desktop by itself.”
The findings were disclosed on Monday by LayerX, which identified at least 50 affected desktop extensions. The company reported the issue to Anthropic, but the behavior remains unresolved, largely because the root cause is architectural and not coming from a single defective component.
“This isn’t unique to Anthropic. The entire MCP ecosystem across all major AI platforms has the same pattern,” Bell added.
“Enterprises deploying any agent framework with local system access should treat it like a new privileged service. Isolated environment. Restricted permissions. Monitored execution. A clear policy on which extensions are approved.”