CVE-2026-44470— Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| anthropics | claude-code | < 1.3834.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44470
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Claude Code 后置链接漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Claude Code是Anthropic开源的一个终端原生AI编程工具。 Claude Code 1.3834.0之前版本存在后置链接漏洞,该漏洞源于CoworkVMService组件以SYSTEM权限运行且未验证VM捆绑目录是否为真实目录或NTFS目录连接点,可能导致本地非提升用户替换可写VM捆绑目录为指向攻击者选择位置的目录连接点,从而在任意目录创建SYSTEM拥有的文件,实现本地权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| anthropics | claude-code | < 1.3834.0 | - |
II. Public POCs for CVE-2026-44470
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44470
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: claude-code
- CVE-2026-44467
Claude Desktop: SSH Host Key Verification Bypass Allows Man- - CVE-2026-40068
Claude Code arbitrary code execution via git worktree common - CVE-2026-39861
Claude Code: Sandbox Escape via Symlink Following Allows Arb - CVE-2026-35603
Claude Code: Insecure System-Wide Configuration Loading Enab - CVE-2026-33068
Claude Code has a Workspace Trust Dialog Bypass via Repo-Con
Same vendor: anthropics
- CVE-2026-44467
Claude Desktop: SSH Host Key Verification Bypass Allows Man- - CVE-2026-40068
Claude Code arbitrary code execution via git worktree common - CVE-2026-41686
Claude SDK for TypeScript has Insecure Default File Permissi - CVE-2026-39861
Claude Code: Sandbox Escape via Symlink Following Allows Arb - CVE-2026-35603
Claude Code: Insecure System-Wide Configuration Loading Enab
Same weakness: CWE-59
- CVE-2026-45539
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agen - CVE-2026-44471
gitoxide: Symlink prefix-reuse allows worktree escape during - CVE-2026-43998
vm2: NodeVM require.root bypass via symlink traversal allows - CVE-2026-44220
ciguard: discover_pipeline_files follows symlinks out of sca - CVE-2026-8052
Nomad's exec2 task driver vulnerable to arbitrary file read/
V. Comments for CVE-2026-44470
No comments yet