A single Google Calendar event can silently compromise a system running Claude Desktop Extensions, according to security researchers at browser security provider LayerX.
In a new report published on February 9, LayerX, disclosed a new critical vulnerability affecting 50 Claude Desktop Extensions (DXT).
If exploited this flaw allows an attacker to perform remote code executions (RCE) on a system running a vulnerable extension, without needing for the victim to click on anything.
This issue was allocated a maximum-severity rating (CVSS of 10.0) and could impact over 10,000 active Claude DXT users.
Roy Paz, principal security researcher at LayerX, said his team reported the vulnerability to Anthropic, the company behind the Claude large language model (LLM)and associated services, including Claude DTX. However, Anthropic “decided not to fix it at this time,” Paz added
Claude DXT: Full Privileges on the Host System
Claude Desktop Extensions are different from traditional browser extensions. Like a typical Chrome browser extension, a Claude DXT offers a one-click installation process.
While a Chrome extension is a simple browser add-on comprising .crx packages, Claude DXT are Model Context Protocol (MCP) servers packaged and distributed through Anthropic’s extension marketplace. Each DXT is made up of a .mcpb bundle, which Paz likened to a .zip archive file, that includes the MCP server implementation code as well as a manifest defining the extension’s exposed functions.
The differences go even further in the authorizations granted to Claude DXT. While Chrome extensions run inside a tightly sandboxed browser environment and don’t have direct system access, Claude DXT execute without sandboxing and with full privileges on the host system, LayerX’s Paz noted.
As a result, Claud DXT can perform sensitive commands, such as:
- Read arbitrary files
- Execute system commands
- Access stored credentials
- Modify operating system settings
Claude DXT Vulnerability Leads to Malicious Code Execution
This vulnerability stems from how MCP-based systems like Claude DXT autonomously chain together different tools to fulfil user requests without enforcing proper security boundaries.
MCP allows Claude to dynamically select and combine external connectors, such as Google Calendar for reading events and local executors for running code, based on vague prompts.
For instance, when researchers told Claude to “check my latest events and take care of it,” the AI assistant interpreted “take care of it” as a justification to execute arbitrary instructions embedded in those events.
Paz said that an attacker could exploit such behavior by crafting a seemingly harmless calendar event containing malicious instructions that a Claude DXT will execute, which could lead to achieving full remote code execution on the victim’s system.
Without safeguards, MCP treats data from low-risk sources (like a calendar) as trusted input for high-risk actions (like running local code), creating an unintended path for exploitation.
The Flaw Falls Outside Anthropic’s Threat Model
LayerX reported the vulnerability to Anthropic, which declined to take any actions, saying the flaw “falls outside our current threat model.”
“Claude Desktop’s MCP integration is designed as a local development tool that operates within the user’s own environment. Users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user’s permissions,” said Anthropic.
“The scenario you’ve described involves the interaction between multiple MCP connectors that a user has intentionally installed and granted permission to run without permission prompts. Since users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user’s configuration choices and their system’s existing security controls.”
Despite this response, LayerX’s Paz said he allocated the flaw a maximum-severity rating (CVSS) of 10.0 based on two vulnerability severity benchmarks (CVSS versions 3.0 and 4.0) developed by the Forum of Incident Response and Security Team (FIRST).
Speaking to Infosecurity, he commented: “Exploits such as this one demonstrate the classic catch-22 of AI: to unlock the productivity benefits of AI, you need to give these tools deep access to sensitive data. But if any data is compromised as a result, the AI and model providers don’t see themselves responsible for the security of users using their products. This highlights the need for an AI ‘shared responsibility’ model where it is clear who is responsible for the different layers of security of AI tools.”
Infosecurity contacted Anthropic, but the company had not responded to a request for comment at the time of publication.
Image credits: yalicn / Thaspol Sangsee / Shutterstock
Read now: Malicious AI Agent Server Reportedly Steals Emails
