{"id":15764,"date":"2026-02-10T03:28:46","date_gmt":"2026-02-10T03:28:46","guid":{"rendered":"https:\/\/newestek.com\/?p=15764"},"modified":"2026-02-10T03:28:46","modified_gmt":"2026-02-10T03:28:46","slug":"anthropics-dxt-poses-critical-rce-vulnerability-by-running-with-full-system-privileges","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15764","title":{"rendered":"Anthropic\u2019s DXT poses \u201ccritical RCE vulnerability\u201d by running with full system privileges"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

When LayerX Security published a report on Monday describing what it called \u201ca critical zero-click RCE vulnerability in [Anthropic\u2019s] Claude Desktop Extensions (DXT) that allows a malicious Google Calendar invite to silently compromise an entire system,\u201d analysts, consultants, security leaders, and even Anthropic didn\u2019t dispute the facts.\u00a0<\/p>\n

But the revelation did reignite the debate about whether it is the responsibility of AI vendors to ship buttoned-down secure products, or if it\u2019s the CISOs\u2019 responsibility to change settings to fit their business environment.<\/p>\n

\u201cUnlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges. As a result, Claude can autonomously chain low-risk connectors\u2014such as Google Calendar\u2014to high-risk local executors without user awareness or consent,\u201d the report<\/a> said. \u201cIf exploited by a bad actor, even a benign prompt, coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system. It creates system-wide trust boundary violations in LLM-driven workflows, resulting in a broad, unresolved attack surface that makes MCP connectors unsafe for security-sensitive systems. LayerX approached Anthropic with our findings, but the company decided not to fix it at this time.\u201d<\/p>\n

Roy Ben Alta<\/a>, CEO at AI vendor Oakie.ai and former director of AI for Meta, said that the issue is real, but that it speaks more to how Anthropic architected its systems and its choice of functioning as a browser and desktop extension.<\/p>\n

\u201cThe framing [in the report] that Anthropic \u2018declined to fix\u2019 misses the point,\u201d he said. \u201cYou can\u2019t fix autonomous agents being able to chain actions together. That\u2019s their purpose. The fix is proper deployment controls, just like any enterprise software with privileged access.\u201d<\/p>\n

An architecture issue<\/h2>\n

He pointed out that the issue is not unique to Anthropic; any AI agent with both external data access and local execution capabilities offers potential privilege escalation paths. \u201cThat\u2019s the architecture, not a bug,\u201d he said. \u201cAnthropic should improve permission boundaries and prompt handling. Enterprises need to control which extensions are deployed and monitor usage.\u201d\u00a0<\/p>\n

Steven Eric Fisher<\/a>, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agreed that the problem is based on how Anthropic DXT was designed to function, as opposed to a technical flaw.\u00a0<\/p>\n

\u201cThe privilege and access management layer is a difficult problem at an individual desktop, let alone trying to manage that at an enterprise level. The AI desktop extensions and browsers don\u2019t manage identity and privileges like a mature operating system does,\u201d Fisher said. \u201cIT and cybersecurity can\u2019t directly fix the absence of articulated capacity in tooling systems. They do have experience and tool-sets for managing some boundaries within a desktop environment, or, in some cases, application behaviors. But this is trying to put ropes around the wrestling ring, which does not manage what happens in the ring or all the risks involved.\u201d<\/p>\n

The researchers at LayerX Security said that although it is true that these permissions\/settings issues exist to a varying degree with all AI vendors, Anthropic\u2019s approach with DXT makes the security problem far worse.\u00a0<\/p>\n

Difference are \u2018stark\u2019<\/h2>\n

Principal AI Security Researcher at LayerX Security Roy Paz<\/a> said that he tested DXT against Perplexity\u2019s Comet, OpenAI\u2019s Atlas, and Microsoft\u2019s CoPilot, and the differences were stark.<\/p>\n

\u201cWhen you ask Copilot, Atlas,\u00a0 or Perplexity to use a tool, then it will use that tool for you. But Claude DXT allows tools to talk to other tools, [such as] in Google Calendar to Desktop Commander, and may do so without consulting the user in order to complete a task,\u201d Paz said. With those other vendors, he noted, \u201cif the agent wants to do something that goes beyond the scope of the user\u2019s explicit instruction, it will ask for permission, but with Claude DXT\u2019s, the user is not consulted.\u201d<\/p>\n

LayerX Head of Product Strategy Eyal Arazi<\/a> also stressed Anthropic\u2019s different architectural and settings choices.\u00a0<\/p>\n

Most AI model providers are currently developing agentic products based on a browser platform, \u00a0a highly sandboxed environment that is strongly insulated from the underlying operating system, he pointed out. This means that while agentic AI browsers have their own vulnerabilities, compromising a browser doesn\u2019t give access to the underlying file system, or provide the ability to execute remote code directly on the underlying OS. <\/p>\n

\u201cClaude, however, does things differently,\u201d Arazi \u00a0said. \u201cIt is a browser extension currently only on Chrome, with a paired MCP-based desktop agent. Although some of the browser solutions such as Dia, Microsoft and Google are not yet fully agentic, Claude\u2019s solution is<\/em> truly agentic.\u201d Unlike browsers, it does<\/em> have direct access to the file system so the combination of full agentic capabilities and direct file system access creates a dangerous combination, he noted. \u201cThis is why it is specifically a problem of Anthropic\u2019s implementation, that other agentic browsers do not have.\u201d<\/p>\n

Onus on users, says Anthropic<\/h2>\n

Anthropic confirmed much of the report, but said that the onus is on users to use the products properly, based on their environments.<\/p>\n

\u201cClaude Desktop\u2019s MCP integration is a local development tool where users explicitly configure and grant permissions to servers they choose to run,\u201d said Anthropic spokesperson Jennifer Martinez. \u201cTo be clear, the situation described in the post requires a targeted user to have intentionally installed these tools and granted permission to run them without prompts. We recommend that users exercise the same caution when installing MCP servers as they do when installing [other] third-party software.\u201d<\/p>\n

Martinez added that users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user\u2019s permissions. \u201cBecause users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user\u2019s configuration choices and their system\u2019s existing security controls,\u201d she said. \u201cPrompt injections are an issue all LLMs are susceptible to, and Anthropic, along with the rest of the AI industry, are working on combating them.\u201d<\/p>\n

Plenty of blame to share<\/h2>\n

Fault for the weakness can\u2019t be attributed to any one source, Fisher said; that there is plenty of blame to share, including the slow pace of industry standards.\u00a0<\/p>\n

\u201cAnthropic or any AI company can\u2019t fix what isn\u2019t well defined. Without a common standard, at best they could produce a bespoke whack-a-mole rights implementation,\u201d he pointed out. \u201cThe rate of innovation, in my opinion, far exceeds the ability to identify a common security standard for implementation around the results.\u00a0 People are working on the challenge [in that] there is a group working on an MCP security standard.\u201d<\/p>\n

But it\u2019s a work in progress. \u201cRight now,\u201d he said, \u201cthis is a build fast and innovate [approach], which largely relies on existing underlying security controls. Existing systems just can\u2019t contend with what is going to be required to articulate what is needed or allowed within AI\u2019s reach.\u201d<\/p>\n

However, Frank Dickson<\/a>, group vice president for security and trust at IDC, pushed back against the suggestion that this is a problem common to all autonomous agents.\u00a0<\/p>\n

\u201cThis is not simply a fact of life, given autonomous agents. It is a fact of a new software company extending its offering into an unfamiliar space, for which they do not understand the implications,\u201d Dickson said. \u201cThis bug is more about reinforcing the need to secure and control the browser rather than Anthropic issuing an unsafe browser.\u201d\u00a0<\/p>\n

Software startups like to fail fast, he noted, however, they do feel the brunt of all of the failures. \u201cIf it is not Anthropic making a mistake, it will be someone else,\u201d he said. \u201cAnthropic does not get a pass, but organizations should expect startups to make such mistakes and put in measures to control and secure their browsers.\u201d<\/p>\n

Not an easy fix<\/h2>\n

LayerX\u2019s Paz said that this problem will not be easy for Anthropic to fix because it is deeply ingrained in the architectural decisions. \u201cIt\u2019s not a half-hour fix. It\u2019s weeks worth of fix. It is going to force them to do a full redesign.\u201d<\/p>\n

Rock Lambros<\/a>, CEO of security firm RockCyber, added that he would not consider the Anthropic issue a zero day, but it\u2019s still a problem.\u00a0<\/p>\n

\u201cThis is the predictable result of letting an AI agent chain a harmless data source to a privileged code executor without a confirmation gate. Anthropic already built sandboxing for Claude Code, so the \u2018that\u2019s just how agents work\u2019 defense fell apart when they shipped Desktop Extensions without it,\u201d Lambros said. \u201cEvery enterprise deploying agents right now needs to answer \u2018Did we restrict tool chaining privileges before activation, or did we hand the intern the master key and go to lunch?\u2019\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

When LayerX Security published a report on Monday describing what it called \u201ca critical zero-click RCE vulnerability in [Anthropic\u2019s] Claude Desktop Extensions (DXT) that allows a malicious Google Calendar invite to silently compromise an entire system,\u201d analysts, consultants, security leaders, and even Anthropic didn\u2019t dispute the facts.\u00a0 But the revelation did reignite the debate about whether it is the responsibility of AI vendors to ship… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15764","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15764"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15764\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}