CVE-2026-44467 Overview
CVE-2026-44467 is a certificate validation flaw in the Claude Desktop application's SSH remote development feature. The application checked only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This logic gap allows a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted. The flaw affects Claude Desktop versions from 1.2581.0 to before 1.4304.0 and is tracked under [CWE-297] (Improper Validation of Certificate with Host Mismatch).
Critical Impact
Successful exploitation enables a man-in-the-middle attack on remote development sessions, exposing source code, credentials, and command output transmitted over SSH.
Affected Products
- Anthropic Claude Desktop application versions 1.2581.0 through 1.4303.x
- SSH remote development feature within Claude Desktop
- Hosts with pre-existing entries in ~/.ssh/known_hosts
Discovery Timeline
- 2026-05-13 - CVE-2026-44467 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44467
Vulnerability Analysis
The Claude Desktop application integrates an SSH client for remote development sessions. During session establishment, the client consults ~/.ssh/known_hosts to confirm the server identity. The implementation treated the presence of the hostname entry as sufficient proof of trust. It did not compare the cryptographic host key returned by the server against the key stored alongside the hostname.
This behavior breaks the trust-on-first-use model that SSH relies on. An attacker who can intercept the TCP connection can present any SSH host key and complete the handshake. The victim sees a normal session, while the attacker terminates one leg of the connection and forwards traffic to the legitimate server. All commands, file transfers, and credentials traverse the attacker-controlled relay in cleartext to the proxy.
Root Cause
The root cause is improper certificate and host key validation. The client implemented hostname lookup against known_hosts but omitted the key comparison step required by the SSH protocol. This is a classic [CWE-297] defect where identity material is read but never matched against the presented credential.
Attack Vector
Exploitation requires adjacent network positioning. The attacker must be able to intercept SSH traffic between the victim and the legitimate server. Common methods include Address Resolution Protocol (ARP) spoofing on a local LAN, a rogue Wi-Fi access point, or Domain Name System (DNS) poisoning. The target hostname must already have an entry in the victim's known_hosts file. The attacker then presents a self-controlled SSH host key, which the vulnerable client accepts without comparison. Refer to the GitHub Security Advisory for the vendor description.
Detection Methods for CVE-2026-44467
Indicators of Compromise
- Unexpected changes in SSH host key fingerprints observed for hosts previously connected from Claude Desktop
- ARP table anomalies or duplicate MAC-to-IP mappings on developer subnets
- DNS responses for development server hostnames resolving to unexpected addresses
- SSH sessions originating from Claude Desktop processes connecting to IP addresses outside known infrastructure
Detection Strategies
- Inventory endpoints running Claude Desktop and compare installed versions against the fixed release 1.4304.0
- Correlate process telemetry for the Claude Desktop binary with outbound TCP connections to port 22 and validate destination IPs
- Compare host key fingerprints recorded by server-side SSH daemons against fingerprints observed on client endpoints
Monitoring Recommendations
- Enable SSH server logging of client connection metadata and forward to a centralized log platform for analysis
- Alert on ARP table changes, gratuitous ARP replies, and rogue DHCP or DNS responses on developer network segments
- Monitor for new or modified entries in ~/.ssh/known_hosts on endpoints running Claude Desktop
How to Mitigate CVE-2026-44467
Immediate Actions Required
- Upgrade Claude Desktop to version 1.4304.0 or later on all affected endpoints
- Audit ~/.ssh/known_hosts files on developer workstations and remove stale or untrusted entries
- Rotate any SSH credentials or tokens that may have transited a vulnerable session over untrusted networks
Patch Information
Anthropic fixed the host key verification logic in Claude Desktop 1.4304.0. The patched build compares the presented SSH host key against the entry stored in known_hosts and aborts the session on mismatch. Patch details are published in the GitHub Security Advisory GHSA-3rwf-2g6p-c2f9.
Workarounds
- Restrict SSH remote development to trusted networks such as wired corporate LAN or enterprise virtual private network (VPN)
- Use a standalone SSH client with strict StrictHostKeyChecking=yes configuration until endpoints are patched
- Apply network segmentation and 802.1X authentication to reduce the risk of ARP spoofing and rogue access points
# Configuration example
# Verify installed Claude Desktop version on macOS
mdls -name kMDItemVersion /Applications/Claude.app
# Enforce strict host key checking in user SSH config as a workaround
cat >> ~/.ssh/config <<'EOF'
Host *
StrictHostKeyChecking yes
HashKnownHosts yes
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
