CVE-2026-44467: The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side
Summary
The Claude Desktop app's SSH remote development feature (versions 1.2581.0 to before 1.4304.0) had a security flaw where it only checked if a hostname was in the ~/.ssh/known_hosts file without verifying that the server's actual host key matched the stored one. This allowed a network attacker (someone who could intercept traffic through methods like ARP spoofing or rogue Wi-Fi) to perform a man-in-the-middle attack (secretly intercepting and potentially altering communications between two parties) on remote development sessions, as long as the hostname was already in the victim's known_hosts file.
Solution / Mitigation
Update Claude Desktop to version 1.4304.0 or later.
Vulnerability Details
EPSS: 0.0%
May 13, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44467
First tracked: May 13, 2026 at 08:10 PM
Classified by LLM (prompt v3) · confidence: 92%