Skip to main content
CVE Vulnerability Database

CVE-2026-7574: Anthropic Claude Desktop RCE Vulnerability

CVE-2026-7574 is a remote code execution flaw in Anthropic Claude Desktop Cowork VM that allows attackers to modify VM filesystem images for persistent code execution. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-7574 Overview

CVE-2026-7574 affects Anthropic Claude Desktop's Cowork VM image handling on macOS. The vulnerability stems from missing integrity verification of the rootfs.img root filesystem image at boot time. Claude Desktop validates only file presence and a version marker string before booting the VM, but never verifies the image content. A local attacker with unprivileged code execution as the victim macOS user can modify the VM root filesystem image. The modified image is trusted on subsequent Cowork VM boots, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. The issue maps to [CWE-353] (Missing Support for Integrity Check).

Critical Impact

An unprivileged local user can tamper with the Cowork VM root filesystem image to gain persistent code execution in the VM and reach host-mounted directories.

Affected Products

  • Anthropic Claude Desktop Cowork VM v1.1348.0
  • Anthropic Claude Desktop Cowork VM v1.1617.0
  • Anthropic Claude Desktop Cowork VM versions through v1.2278.0

Discovery Timeline

  • 2026-06-24 - CVE-2026-7574 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-7574

Vulnerability Analysis

Claude Desktop ships a Cowork VM feature that boots a macOS-hosted virtual machine using a rootfs.img root filesystem image. Before boot, the loader checks two conditions: that the image file exists at its expected path, and that an embedded version marker string is present. The loader does not compute or verify a cryptographic hash, signature, or any other integrity attestation over the image contents.

Because the image lives in a path writable by the unprivileged macOS user, any process running as that user can overwrite or modify it between boots. The version marker is a static string, so an attacker preserves it inside a tampered image to pass the existing check. Subsequent Cowork VM boots load the attacker-controlled filesystem as trusted.

The blast radius extends beyond the VM. Cowork VMs mount host directories for file exchange with the user's macOS environment. Code executing inside the tampered VM can read and write those mounted paths, exposing host data to a guest that is no longer trustworthy.

Root Cause

The root cause is missing time-of-use integrity validation on rootfs.img. The presence check and version marker comparison are weak proxies for trust and do not bind the image to a known-good content state.

Attack Vector

Exploitation requires local access with low privileges as the victim macOS user. The attacker modifies rootfs.img in place, preserves the expected version marker, and waits for the next Cowork VM boot. No user interaction with the modified image is required. Refer to the Recon 2026 Talk Presentation and TakeOnMe GCVE-1337 Analysis for additional technical detail.

Detection Methods for CVE-2026-7574

Indicators of Compromise

  • Unexpected modification timestamps on the Cowork VM rootfs.img file in the Claude Desktop application support directory.
  • File size or content hash drift of rootfs.img between Claude Desktop updates.
  • Unexpected user-space processes writing to the Cowork VM image path outside of Claude Desktop update events.

Detection Strategies

  • Baseline the SHA-256 hash of rootfs.img shipped with each Claude Desktop release and alert on deviation.
  • Monitor file integrity on the Claude Desktop application support directory using endpoint file integrity monitoring.
  • Correlate Cowork VM boot events with the most recent rootfs.img write event and flag boots that follow writes by non-Claude Desktop processes.

Monitoring Recommendations

  • Enable macOS Endpoint Security Framework telemetry for write events targeting the Cowork VM image path.
  • Track outbound network connections originating from the Cowork VM that diverge from known-good baselines.
  • Audit access to host-mounted directories exposed to the Cowork VM for anomalous read or write patterns.

How to Mitigate CVE-2026-7574

Immediate Actions Required

  • Update Claude Desktop to a version newer than v1.2278.0 once Anthropic publishes a fixed release.
  • Restrict who can run Claude Desktop on shared macOS hosts and disable the Cowork VM feature where it is not required.
  • Limit the directories mounted into the Cowork VM to reduce host exposure if the VM is compromised.

Patch Information

No vendor advisory URL is listed in the NVD entry at time of publication. Track the Recon 2026 Talk Presentation and Anthropic release notes for a patched Claude Desktop build that adds cryptographic integrity validation of rootfs.img before boot.

Workarounds

  • Store rootfs.img on a read-only volume or apply restrictive macOS file flags such as uchg to block user-level modification between boots.
  • Maintain an out-of-band hash of the legitimate rootfs.img and verify it manually before launching Claude Desktop in sensitive environments.
  • Run Claude Desktop under a dedicated low-privilege macOS account that does not have access to sensitive host directories.
bash
# Example: pin the Cowork VM image as immutable and verify its hash before launch
IMG="$HOME/Library/Application Support/Claude/cowork/rootfs.img"
EXPECTED="<known-good-sha256>"

shasum -a 256 "$IMG" | awk '{print $1}' | grep -q "$EXPECTED" || {
  echo "rootfs.img hash mismatch - do not launch" >&2
  exit 1
}

sudo chflags uchg "$IMG"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.