A high-severity local privilege escalation (LPE) vulnerability in its CoworkVMService component. This flaw required no admin rights or user interaction to exploit, making it a stealthy yet potent threat to enterprise environments.
A security researcher operating under the HackerOne handle piquo uncovered the vulnerability, which was assigned CVE-2026-44470 and published via GitHub Security Advisory GHSA-5p5x-5294-qhp3 on May 7, 2026.
The flaw has since been patched in Claude Desktop version 1.3834.0, and users running older versions on Windows are strongly urged to update immediately.
At the heart of this vulnerability lies a classic Windows NTFS directory junction abuse one of the most well-documented yet persistently misused attack primitives in Windows privilege escalation.
The CoworkVMService a background service introduced as part of Claude Desktop’s VM-based sandbox environment for running Claude Code operates under the NT AUTHORITY\SYSTEM account, granting it the highest possible privilege level on a Windows machine.
Claude Desktop Vulnerability
The service routinely creates files within a designated “VM bundle directory,” which is writable by standard, non-elevated users. The critical design failure: the service never validated whether that directory was a legitimate folder or an NTFS directory junction (a type of symbolic link pointing to an arbitrary location).
An attacker with a low-privileged local account could exploit this in a straightforward sequence:
- Delete or replace the user-writable VM bundle directory with an NTFS junction.
- Point the junction to any sensitive system path, such as
C:\Windows\System32\or a privileged configuration directory. - Wait for CoworkVMService to execute its routine file-creation operation.
- The SYSTEM-level service follows the junction and creates a SYSTEM-owned file at the attacker-controlled location.
- The attacker leverages the planted file for full local privilege escalation to SYSTEM.
This attack pattern widely cataloged as CWE-59 (Improper Link Resolution Before File Access / Link Following) has plagued Windows security products for years, including documented cases in Avast, ESET, and Avira.
The companion weakness, CWE-269 (Improper Privilege Management), reflects the deeper architectural flaw: a SYSTEM service operating on user-writable directories without adequate validation controls.
The vulnerability carries a CVSS v4.0 base score rated High, with the following metrics underscoring why it demands urgent attention:
| Metric | Value |
|---|---|
| Attack Vector | Local |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
The “Low” complexity and “None” user interaction ratings are particularly alarming. A malicious insider, a compromised low-privilege account, or even malware already running in the user context could silently trigger this flaw, no phishing, no social engineering, no admin credentials required.
Claude Desktop has seen rapid enterprise adoption as organizations integrate AI-assisted coding workflows directly into developer environments.
The introduction of the CoworkVMService component reflects Anthropic’s expansion into running sandboxed virtual machine sessions for Claude Code, a powerful productivity feature that, in this case, introduced a high-risk attack surface.
This disclosure follows a pattern of growing scrutiny on AI desktop client security. Earlier in 2026, researchers flagged a tool-chaining vulnerability in Claude Desktop Extensions, rated CVSS 10/10, exposing the risk of arbitrary code execution via prompt injection across chained MCP extensions.
Together, these findings signal that AI desktop applications traditionally trusted as productivity tools rather than attack surfaces are rapidly becoming high-value targets for local and supply-chain threat actors.
The directory junction technique exploited here is not novel. Security researchers at Trend Micro ZDI have extensively documented how NTFS junction abuse has been successfully weaponized against SYSTEM-level services in products ranging from antivirus engines to cloud backup clients.
The persistence of this vulnerability class in new software categories like AI assistants suggests that developers building SYSTEM-level services must adopt mandatory junction/symlink validation as a baseline security control, not an afterthought.
Patch and Remediation
Anthropic has resolved the issue in the Claude Desktop Windows version 1.3834.0 by validating the VM bundle directory path before any file operations, ensuring the service rejects junction-based paths before the SYSTEM-level write occurs.
- Immediately update Claude Desktop to version 1.3834.0 or later on all Windows endpoints.
- Audit whether Claude Desktop is deployed in multi-user or shared environments where low-privileged accounts exist alongside SYSTEM services.
- Apply the principle of least privilege to background services wherever possible. System-level operations should be reserved for explicitly required cases only.
- Monitor for unusual NTFS junction creation in user-writable application directories as a detection signal for this class of attack.
FAQ
Q1: What is CVE-2026-44470?
CVE-2026-44470 is a high-severity local privilege escalation vulnerability in Claude Desktop for Windows, where the CoworkVMService ran as SYSTEM without validating NTFS directory junctions, allowing low-privileged users to escalate to full SYSTEM access.
Q2: What versions of Claude Desktop are affected?
All versions of Claude Desktop for Windows before 1.3834.0 are affected; the vulnerability is fully patched in version 1.3834.0 and later.
Q3: Does this vulnerability require internet access or admin rights to exploit?
No, this is a local attack that requires only a low-privileged local account, with no user interaction, no admin rights, and no network access.
Q4: What is an NTFS directory junction, and why is it dangerous?
An NTFS directory junction is a Windows filesystem feature that redirects one directory path to another location; when a SYSTEM-level service follows a junction without validation, an unprivileged attacker can redirect that service’s file operations to sensitive system paths, enabling privilege escalation.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
