A high-severity vulnerability in Anthropic’s Claude Desktop has been disclosed, exposing millions of remote development sessions to silent man-in-the-middle (MITM) attacks.
Tracked as CVE-2026-44467 and assigned a High severity rating under CVSS v4.0, the flaw allowed a network-positioned attacker to intercept, manipulate, and hijack SSH remote development sessions all without triggering any warning to the victim.
The security flaw resided in Claude Desktop’s SSH remote development feature, which developers use to connect to remote servers and code directly within the Claude Desktop environment.
Claude Desktop SSH Vulnerability
The core issue was dangerously simple: Claude Desktop checked whether a target hostname existed inside the ~/.ssh/known_hosts file, but never compared the server’s actual presented host key against the key stored in that file.
In effect, it was like a security guard checking whether a name appeared on a guest list without ever verifying the ID of the person walking through the door.
This meant that any attacker on the same network could present a completely arbitrary, fraudulent SSH host key, and Claude Desktop would silently accept it as legitimate. The connection proceeded without any alert, warning dialog, or authentication failure, making this a truly stealthy attack vector.
The vulnerability was published on May 7, 2026, by researcher OctavianGuzu via GitHub Security Advisory GHSA-3rwf-2g6p-c2f9, and was originally reported through HackerOne by security researcher masato_anzai.
Affected Versions & Patch
The flaw impacted Claude Desktop versions >= 1.2581.0 and < 1.4304.0. Anthropic addressed the issue in version 1.4304.0, which has already been automatically deployed to users who have enabled Claude Desktop’s auto-update feature. Users performing manual updates are strongly advised to upgrade to v1.4304.0 immediately.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-44467 |
| Severity | High (CVSS v4.0) |
| Affected Package | Claude Desktop (Anthropic) |
| Affected Versions | >= 1.2581.0, < 1.4304.0 |
| Patched Version | 1.4304.0 |
| CWE | CWE-297, CWE-322 |
| Published | May 7, 2026 |
Successful exploitation required two conditions to be met simultaneously:
- The attacker must be network-positioned to intercept SSH traffic achieved through techniques such as ARP spoofing, rogue Wi-Fi access points, or DNS poisoning.
- The target hostname must already have an existing entry in the victim’s
~/.ssh/known_hostsfile.
When both conditions were satisfied, the attack flow was devastating. An attacker intercepting traffic between a developer’s Claude Desktop client and their remote server could inject their own SSH host key into the handshake. Because Claude Desktop only validated the presence of the hostname, not key integrity, the fraudulent key would be silently accepted.
The attacker then established two independent encrypted sessions: one with the victim client and one with the target server, sitting invisibly in the middle of all communications.
Once in this position, the threat actor could:
- Read all commands executed by the developer in the remote session
- Exfiltrate sensitive data, including source code, credentials, and API keys
- Inject malicious commands into the session stream
- Modify files or binaries being transferred between the client and the server
The CVSS v4.0 vector for this flaw CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N reflects a High confidentiality and integrity impact on the vulnerable system, with an Adjacent attack vector, meaning the attacker must share the same network segment as the victim.
The vulnerability maps to two critical weaknesses in the MITRE CWE database:
- CWE-297 (Improper Validation of Certificate with Host Mismatch): The product communicates with a host that presents a certificate or key, but does not properly verify that the key is actually associated with that host. This is a classic pattern seen across SSH libraries and TLS implementations alike.
- CWE-322 (Key Exchange without Entity Authentication): The product performs a key exchange without verifying the identity of the remote actor, making the cryptographic handshake fundamentally untrustworthy.
SSH host key verification has historically been a recurring weak point. A similar flaw was discovered in libcurl (CVE-2025-15079), where the library accepted hosts listed in the global known_hosts file, even when stricter application-level verification was intended, and was also classified under CWE-297.
OpenSSH itself patched a related MITM vulnerability (CVE-2025-26465) in early 2025 that had persisted in its codebase since December 2014.
This is not the first security incident tied to Claude Desktop’s expanding feature set. In February 2026, LayerX researchers disclosed a zero-click Remote Code Execution (RCE) vulnerability in Claude Desktop Extensions (DXT), rated CVSS 10.0, that allowed a single malicious Google Calendar event to compromise a host system running Claude Desktop silently.
That vulnerability remained unpatched at the time of disclosure, as Anthropic chose not to remediate it. With Claude Desktop’s rapid development momentum, adding features like Cowork (released April 9, 2026) and SSH remote development, the attack surface continues to expand significantly.
Security researchers and enterprise teams should carefully evaluate network trust boundaries when deploying Claude Desktop in sensitive development environments.
| IOC Type | Value / Description |
|---|---|
| Vulnerability | CVE-2026-44467 |
| Advisory | GHSA-3rwf-2g6p-c2f9 |
| Attack Technique | ARP Spoofing, DNS Poisoning, Rogue Wi-Fi (network position) |
| Attack Vector | Adjacent Network |
| Targeted File | ~/.ssh/known_hosts |
| Affected Binary | Claude Desktop >= 1.2581.0 < 1.4304.0 |
Mitigation
- Update immediately to the Claude Desktop version 1.4304.0 or later.
- Avoid using Claude Desktop’s SSH remote development feature on untrusted or public Wi-Fi networks until the update is confirmed installed.
- Enforce SSH certificate-based authentication where possible, as it provides stronger identity guarantees compared to static known_hosts files.
- Monitor network traffic for signs of ARP spoofing or DNS poisoning on development networks.
- Review SSH connection logs for unexpected changes in host key fingerprints.
FAQ
Q1: Who is affected by CVE-2026-44467?
Any user running Claude Desktop versions >= 1.2581.0 and < 1.4304.0 who uses the SSH remote development feature on a network where an attacker can intercept traffic.
Q2: Do I need to patch Claude Desktop manually?
Auto-update users already received the fix; only users performing manual updates must explicitly upgrade to version 1.4304.0.
Q3: Can this attack be launched remotely over the internet?
No, the CVSS v4.0 Attack Vector is “Adjacent,” meaning the attacker must be on the same network segment and use techniques like ARP spoofing, rogue Wi-Fi, or DNS poisoning to intercept traffic.
Q4: Is this Claude Desktop’s first security vulnerability?
No, a separate zero-click RCE flaw in Claude Desktop Extensions was disclosed in February 2026 with a CVSS score of 10.0, impacting over 10,000 users.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
