CVE-2026-7574: Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1
highvulnerabilityLLM-Specific
security
Summary
Anthropic Claude Desktop has a security flaw in versions v1.1348.0 through v1.2278.0 where it boots a VM (virtual machine, a simulated computer) without checking that the root filesystem image hasn't been tampered with. An attacker with basic access to a user's Mac can modify this image file, and the software will trust and run the modified version on the next boot, giving the attacker persistent control inside the VM and access to files shared with the host computer.
Vulnerability Details
CVSS Score
8.7(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
local
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
June 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Anthropic
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7574
First tracked: June 24, 2026 at 02:13 AM
Classified by LLM (prompt v3) · confidence: 92%