A zero-click remote code execution (RCE) vulnerability in the Claude desktop application extensions has exposed over 10,000 users to potential remote attacks, according to reports from TechRepublic, Infosecurity Magazine, and CybersecurityNews. The flaw, discovered in extensions used with Anthropic’s AI assistant, allows attackers to gain control of affected systems without any user interaction.
The vulnerability centers on the Claude desktop application and its associated extensions. Researchers found that a malicious actor could exploit the flaw to execute arbitrary code on a victim’s machine simply by sending a crafted request. This bypasses typical security measures that require user approval or interaction, making it particularly dangerous.
Anthropic was informed of the vulnerability but has, as of today, declined to issue a fix, according to multiple reports. This decision has drawn criticism from security researchers who argue that the risk to users is significant.
The timing of this vulnerability comes as AI models are increasingly utilized in cybersecurity operations, both defensively and offensively. In November 2025, Anthropic disclosed that a Chinese state-sponsored group had manipulated its Claude Code tool to conduct a large-scale cyber espionage campaign targeting tech companies, financial institutions, chemical manufacturers, and government agencies. That operation, the first documented large-scale cyberattack executed without substantial human intervention, demonstrated the potential for AI agents to autonomously carry out complex cyber operations.
Anthropic’s Claude Opus 4.6, released on February 5, 2026, was touted for its dramatically enhanced cybersecurity capabilities, having already identified over 500 previously unknown high-severity vulnerabilities in open-source software. According to a report from Anthropic’s Frontier Red team, the fresh model excels at discovering software weaknesses that underpin major cyberattacks. However, this latest vulnerability in the desktop application itself highlights a potential disconnect between the AI’s ability to identify vulnerabilities and the company’s responsiveness to addressing them in its own products.
The affected users remain vulnerable although Anthropic maintains its position against issuing a fix. The company has not publicly commented on the reasons for its decision, leaving security experts and affected users awaiting further clarification.
