CVE-2026-44470: The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side
Summary
Claude Desktop for Windows had a security flaw in versions before 1.3834.0 where the CoworkVMService component (a background service running with high system privileges) did not properly check if directories were real folders or directory junctions (shortcuts that point to other locations) before creating files in them. An attacker with basic user access could trick this service into creating files in any location on the computer, potentially allowing them to gain administrator-level control of the system.
Solution / Mitigation
Update Claude Desktop to version 1.3834.0 or later, which includes a fix for this vulnerability.
Vulnerability Details
EPSS: 0.0%
May 13, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44470
First tracked: May 13, 2026 at 08:10 PM
Classified by LLM (prompt v3) · confidence: 92%