Zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE

No Click Required

Security researchers disclosed a zero-click vulnerability in Claude's desktop extension (.dxt) system that could have exposed over 10,000 users to remote code execution without any user interaction.

The Vulnerability

The flaw existed in how Claude Desktop processed extensions:

• Malicious extensions could execute arbitrary code during installation
• No user confirmation or approval was needed
• The attack surface included any user who installed a compromised extension

Anthropic's Response

In an unusual move, Anthropic reportedly declined to fix the specific vulnerability, instead pointing to broader security measures and the extension review process as mitigating factors.

flowchart TD
    HUB(("No Click Required"))
    HUB --> L0["The Vulnerability"]
    style L0 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L1["Anthropic's Response"]
    style L1 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L2["Related Security Concerns"]
    style L2 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L3["The Broader Lesson"]
    style L3 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    style HUB fill:#4f46e5,stroke:#4338ca,color:#fff

Related Security Concerns

This disclosure came alongside the Check Point Research findings of CVE-2025-59536 and CVE-2026-21852, creating a pattern of security concerns around Claude's extensibility features:

• Hooks — Custom shell commands exploitable by malicious repos
• MCP Servers — Configuration injection points
• Extensions — Zero-click code execution
• Environment Variables — API key exfiltration vectors

The Broader Lesson

As AI tools gain more system access — editing files, running commands, installing extensions — their attack surface expands proportionally. The tension between powerful AI capabilities and security is becoming a defining challenge for the industry.

Security researchers recommend treating AI tool configurations with the same caution as running untrusted code.

Source: LayerX Security | Infosecurity Magazine | CyberNews

flowchart LR
    IN(["Input prompt"])
    subgraph PRE["Pre processing"]
        TOK["Tokenize"]
        EMB["Embed"]
    end
    subgraph CORE["Model Core"]
        ATTN["Self attention layers"]
        MLP["Feed forward layers"]
    end
    subgraph POST["Post processing"]
        SAMP["Sampling"]
        DETOK["Detokenize"]
    end
    OUT(["Generated text"])
    IN --> TOK --> EMB --> ATTN --> MLP --> SAMP --> DETOK --> OUT
    style IN fill:#f1f5f9,stroke:#64748b,color:#0f172a
    style CORE fill:#ede9fe,stroke:#7c3aed,color:#1e1b4b
    style OUT fill:#059669,stroke:#047857,color:#fff

flowchart TD
    HUB(("No Click Required"))
    HUB --> L0["The Vulnerability"]
    style L0 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L1["Anthropic's Response"]
    style L1 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L2["Related Security Concerns"]
    style L2 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    HUB --> L3["The Broader Lesson"]
    style L3 fill:#e0e7ff,stroke:#6366f1,color:#1e293b
    style HUB fill:#4f46e5,stroke:#4338ca,color:#fff

## Zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE — operator perspective Reading Zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE as an operator, the question isn't 'is this exciting?' — it's 'does this change anything in my agent loop, my prompt cache, or my cost per session?' On the CallSphere side, the practical filter is simple: would this make a 90-second appointment-booking call faster, cheaper, or more reliable? If the answer is "maybe in a benchmark," it doesn't ship to production. ## What AI news actually moves the needle for SMB call automation Most AI news is noise. A new benchmark score, a leaderboard reshuffle, a leaked memo — none of it changes whether your AI receptionist books appointments without dropping the call. The handful of things that *do* move production AI voice and chat are concrete: realtime API stability (does the WebSocket survive 5+ minutes without a stall?), language coverage (does it handle 57+ languages with usable accents, or is English the only first-class citizen?), tool-use reliability (does the model actually call the right function with the right argument types under load?), multi-agent handoffs (do specialist agents receive structured context, or just transcripts?), and latency under load (p95 first-token under 800ms when 200 concurrent calls hit the same endpoint?). The CallSphere rule on news is: if it doesn't move at least one of those five numbers in a measurable eval, it's a blog post, not a product change. What to track: provider changelogs for realtime endpoints, tool-call schema changes, language-add announcements, and any deprecation that pins your stack to a sunset date. What to ignore: leaderboard wins on tasks that don't map to your call flow, "agentic" benchmarks that don't measure tool latency, and demos that work because the prompt was hand-tuned for the demo. The teams that ship fastest treat AI news the same way ops teams treat CVE feeds — read everything, act on the small fraction that touches your runtime, archive the rest. ## FAQs **Q: How does zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE change anything for a production AI voice stack?** A: Most of the time it doesn't, and that's the right starting assumption. The relevant test is whether it improves at least one of: p95 first-token latency, tool-call argument accuracy on noisy inputs, multi-turn handoff stability, or per-session cost. CallSphere runs 37 specialized AI agents wired to 90+ function tools across 115+ database tables in 6 live verticals. **Q: What's the eval gate zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE would have to pass at CallSphere?** A: The eval gate is unsentimental — a regression suite that simulates real call traffic (noisy ASR, partial inputs, tool-call timeouts) measures four numbers, and a candidate has to win on three of four without losing badly on the fourth. Anything else is treated as a blog post, not a stack change. **Q: Where would zero-Click Vulnerability in Claude Desktop Extensions Exposed 10,000+ Users to RCE land first in a CallSphere deployment?** A: In a CallSphere deployment, new model and API capabilities land first in the post-call analytics pipeline (lower stakes, async, easy to roll back) and only later in the live realtime path. Today the verticals most likely to absorb new capability first are Real Estate, which already run the largest share of production traffic. ## See it live Want to see sales agents handle real traffic? Walk through https://sales.callsphere.tech or grab 20 minutes with the founder: https://calendly.com/sagar-callsphere/new-meeting.