Anthropic: Claude Cowork’s Sandbox Vulnerability Allows Attackers to Run Arbitrary Commands as Root

Anthropic: Claude Cowork’s Sandbox Vulnerability Allows Attackers to Run Arbitrary Commands as Root

Anthropic’s Claude Cowork Sandbox Exploited via Privilege Escalation Vulnerability

Security researchers at Armadin uncovered a critical vulnerability chain in Anthropic’s Claude Cowork, a desktop tool designed for non-technical users to leverage AI-powered code execution. The flaw allows an attacker with local code execution to bypass all sandbox defenses and gain root-level access within the product’s isolated Linux environment.

The Attack Chain

Claude Cowork on Windows operates within a Hyper-V-isolated Ubuntu VM, protected by multiple security layers, including Authenticode-signed RPC, bubblewrap namespaces, seccomp filters, and a domain-restricted egress proxy. However, Armadin’s research demonstrated a method to circumvent these protections:

  1. Initial Access via DLL Sideloading

    • Researchers exploited a DLL hijacking vulnerability in claude.exe, which loads USERENV.dll from its application directory before checking system paths.
    • By crafting a malicious USERENV.dll that exported GetUserProfileDirectoryW, they achieved arbitrary code execution within a signed Anthropic process, satisfying the RPC’s Authenticode signature check.
  2. RPC Protocol Reverse Engineering

    • Using an AI coding agent, Armadin reverse-engineered the JSON-based RPC protocol exposed via a named pipe (\\.\pipe\cowork-vm-service).
    • The protocol included methods like spawn, which forwards parameters to the VM’s sdk-daemon.
  3. Privilege Escalation via Malformed Parameters

    • The spawn method accepted two critical parameters: isResume and allowedDomains.
    • By setting isResume: true and specifying "name": "root", researchers bypassed user validation, allowing root shell access within the sandbox.

Impact & Validation

The exploit was confirmed against Claude Desktop for Windows (v1.9255.2.0). While Anthropic’s threat model does not account for local execution risks, the findings highlight a significant gap: once initial access is gained, sandboxed AI tools may offer minimal resistance to privilege escalation.

The vulnerability underscores the challenges of securing AI-powered development environments, particularly when local execution is involved. No patches or mitigations were mentioned in the disclosure.

Source: https://cybersecuritynews.com/claude-coworks-sandbox-vulnerability/

Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch

"id": "ANT1783016675",
"linkid": "anthropicresearch",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Artificial Intelligence / Software '
                                    'Development',
                        'name': 'Anthropic',
                        'type': 'Company'}],
 'attack_vector': 'Local Code Execution',
 'description': 'Security researchers at Armadin uncovered a critical '
                'vulnerability chain in Anthropic’s Claude Cowork, a desktop '
                'tool designed for non-technical users to leverage AI-powered '
                'code execution. The flaw allows an attacker with local code '
                'execution to bypass all sandbox defenses and gain root-level '
                'access within the product’s isolated Linux environment.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'sandbox bypass',
            'operational_impact': 'Potential root-level access within '
                                  'sandboxed environment',
            'systems_affected': 'Claude Cowork (Windows v1.9255.2.0)'},
 'investigation_status': 'Disclosed (No patch mentioned)',
 'lessons_learned': 'The vulnerability highlights challenges in securing '
                    'AI-powered development environments, particularly when '
                    'local execution is involved. Sandboxed AI tools may offer '
                    'minimal resistance to privilege escalation once initial '
                    'access is gained.',
 'motivation': 'Security Research / Vulnerability Disclosure',
 'post_incident_analysis': {'root_causes': 'DLL hijacking vulnerability in '
                                           'claude.exe, weak RPC protocol '
                                           'validation, and malformed '
                                           'parameter handling in the spawn '
                                           'method'},
 'references': [{'source': 'Armadin Security Research'}],
 'threat_actor': 'Armadin (Security Researchers)',
 'title': 'Anthropic’s Claude Cowork Sandbox Exploited via Privilege '
          'Escalation Vulnerability',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'DLL hijacking (USERENV.dll), RPC protocol '
                            'manipulation, malformed parameters in spawn '
                            'method'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.