A critical security vulnerability has been discovered in Claude Desktop Extensions that allows attackers to execute malicious code on target systems without requiring any user interaction, according to new research from browser security firm LayerX. The zero-click exploit affects approximately 50 Claude Desktop Extensions and could impact more than 10,000 active users worldwide.

The vulnerability, disclosed in a February 9 report, demonstrates how attackers can leverage seemingly harmless Google Calendar events to achieve remote code execution on systems running vulnerable Claude Desktop Extensions. LayerX assigned the flaw a maximum severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS), indicating the highest possible risk level.

Unlike traditional browser extensions that operate within sandboxed environments, Claude Desktop Extensions execute with full system privileges on host machines. This architectural difference creates significant security implications, as these extensions can perform sensitive operations including reading arbitrary files, executing system commands, accessing stored credentials, and modifying operating system configurations.

The attack vector exploits Claude's Model Context Protocol (MCP) implementation, which enables the AI assistant to autonomously combine different tools and functions based on user requests. LayerX researchers demonstrated the vulnerability by instructing Claude to "check my latest events and take care of it." The AI interpreted this vague prompt as authorization to execute arbitrary instructions embedded within calendar events, effectively treating external data as trusted commands.

Claude Desktop Extensions are distributed as .mcpb bundles through Anthropic's extension marketplace, containing MCP server implementation code and manifest files that define exposed functions. This packaging differs substantially from Chrome extensions (.crx files) that operate under strict browser security constraints. The unrestricted execution environment of Claude DXT creates opportunities for exploitation that don't exist with conventional browser add-ons.

When LayerX reported their findings to Anthropic, the company declined to implement remediation measures, stating the vulnerability "falls outside our current threat model." Anthropic characterized Claude Desktop's MCP integration as a local development tool designed for users who explicitly configure and grant permissions to MCP servers within their own environments.

An Anthropic spokesperson emphasized that the described scenario requires targeted users to intentionally install and grant permissions to run these tools without prompts. The company recommended that users exercise equivalent caution when installing MCP servers as they would with any third-party software installation.

Despite Anthropic's response, LayerX's principal security researcher Roy Paz maintains the maximum severity rating based on established vulnerability assessment frameworks from the Forum of Incident Response and Security Teams (FIRST). Paz highlighted what he termed the "classic catch-22 of AI" - organizations must provide AI tools with deep system access to realize productivity benefits, yet AI providers often disclaim responsibility for security consequences resulting from that access.

This incident illuminates broader challenges facing the AI industry as these systems become increasingly integrated into enterprise environments. The autonomous nature of AI assistants, combined with their ability to chain together multiple tools and data sources, creates novel attack surfaces that traditional security models may inadequately address.

The vulnerability also raises questions about responsibility and accountability in AI security. As AI tools gain more sophisticated capabilities and deeper system integration, the industry faces pressure to develop comprehensive security frameworks that balance functional capabilities with robust protection against emerging threats.

The LayerX research underscores the need for what Paz describes as an "AI shared responsibility model" that clearly delineates security obligations between AI providers, extension developers, and end users. Without such frameworks, organizations deploying AI tools may face unexpected security risks that fall outside traditional threat models.

As AI assistants become more prevalent in enterprise environments, security professionals must carefully evaluate the permissions and access levels granted to these systems. The Claude Desktop Extensions vulnerability serves as a cautionary example of how AI's autonomous decision-making capabilities can be exploited when proper security boundaries are not enforced.

Related Links:

• LayerX Security Blog Report
• Model Context Protocol Information