Anthropic’s Claude Cowork Sandbox Exploited via Privilege Escalation Vulnerability
Security researchers at Armadin uncovered a critical vulnerability chain in Anthropic’s Claude Cowork, a desktop tool designed for non-technical users to leverage AI-powered code execution. The flaw allows an attacker with local code execution to bypass all sandbox defenses and gain root-level access within the product’s isolated Linux environment.
The Attack Chain
Claude Cowork on Windows operates within a Hyper-V-isolated Ubuntu VM, protected by multiple security layers, including Authenticode-signed RPC, bubblewrap namespaces, seccomp filters, and a domain-restricted egress proxy. However, Armadin’s research demonstrated a method to circumvent these protections:
-
Initial Access via DLL Sideloading
- Researchers exploited a DLL hijacking vulnerability in
claude.exe, which loadsUSERENV.dllfrom its application directory before checking system paths. - By crafting a malicious
USERENV.dllthat exportedGetUserProfileDirectoryW, they achieved arbitrary code execution within a signed Anthropic process, satisfying the RPC’s Authenticode signature check.
- Researchers exploited a DLL hijacking vulnerability in
-
RPC Protocol Reverse Engineering
- Using an AI coding agent, Armadin reverse-engineered the JSON-based RPC protocol exposed via a named pipe (
\\.\pipe\cowork-vm-service). - The protocol included methods like
spawn, which forwards parameters to the VM’ssdk-daemon.
- Using an AI coding agent, Armadin reverse-engineered the JSON-based RPC protocol exposed via a named pipe (
-
Privilege Escalation via Malformed Parameters
- The
spawnmethod accepted two critical parameters:isResumeandallowedDomains. - By setting
isResume: trueand specifying"name": "root", researchers bypassed user validation, allowing root shell access within the sandbox.
- The
Impact & Validation
The exploit was confirmed against Claude Desktop for Windows (v1.9255.2.0). While Anthropic’s threat model does not account for local execution risks, the findings highlight a significant gap: once initial access is gained, sandboxed AI tools may offer minimal resistance to privilege escalation.
The vulnerability underscores the challenges of securing AI-powered development environments, particularly when local execution is involved. No patches or mitigations were mentioned in the disclosure.
Source: https://cybersecuritynews.com/claude-coworks-sandbox-vulnerability/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "ANT1783016675",
"linkid": "anthropicresearch",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Artificial Intelligence / Software '
'Development',
'name': 'Anthropic',
'type': 'Company'}],
'attack_vector': 'Local Code Execution',
'description': 'Security researchers at Armadin uncovered a critical '
'vulnerability chain in Anthropic’s Claude Cowork, a desktop '
'tool designed for non-technical users to leverage AI-powered '
'code execution. The flaw allows an attacker with local code '
'execution to bypass all sandbox defenses and gain root-level '
'access within the product’s isolated Linux environment.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'sandbox bypass',
'operational_impact': 'Potential root-level access within '
'sandboxed environment',
'systems_affected': 'Claude Cowork (Windows v1.9255.2.0)'},
'investigation_status': 'Disclosed (No patch mentioned)',
'lessons_learned': 'The vulnerability highlights challenges in securing '
'AI-powered development environments, particularly when '
'local execution is involved. Sandboxed AI tools may offer '
'minimal resistance to privilege escalation once initial '
'access is gained.',
'motivation': 'Security Research / Vulnerability Disclosure',
'post_incident_analysis': {'root_causes': 'DLL hijacking vulnerability in '
'claude.exe, weak RPC protocol '
'validation, and malformed '
'parameter handling in the spawn '
'method'},
'references': [{'source': 'Armadin Security Research'}],
'threat_actor': 'Armadin (Security Researchers)',
'title': 'Anthropic’s Claude Cowork Sandbox Exploited via Privilege '
'Escalation Vulnerability',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'DLL hijacking (USERENV.dll), RPC protocol '
'manipulation, malformed parameters in spawn '
'method'}